Included in this pack is all the software you will need to uncap your cable modem. Below are the instructions on how to perform this hack. Written by DerEngel provided by MonkeyWrencher. E-mail
[email protected]
How To UnCap Motorola Surfboard Cable Modems Step by Step with Pictures (By DerEngel) Version 2.0
Incase your not familiar what this is, Cable companies put “Caps” on the cable modems of the customers on their systems. These caps are enforced to ensure everyone has a fast and reliable connection to the internet. Or cable companies wants to Tier your service, for example sell you certain speed configuration at a price but also offer faster configurations for more. These Caps tell the modem how fast it can Send and Receive data. The original way to uncap a DOCSIS modem, is to change the modem’s configuration file on startup with your own. You see, a cable modems speed settings (and some other settings) are encoded into a standard DOCSIS config. Which the modem downloads when it boots up. When a cable modem comes online, it talks to a Universal Broadband Router (URB) and the URB tells the modem to download a certain file from a server. The first process involves getting this information. The config file is stored on a TFTP Server. Once your modem downloads this config, it processes it and if the CMTS (Cable Modem Termination System) is successful, your modem will become online. So to uncap your modem, you need to change this file. Surfboard modems, as well as 3com Sharkfin modems have a big flaw in the original firmware’s. When the modem starts up, bridge forwarding from the Ethernet port is enabled. If you have connected a computer with the TCP/IP protocol’s address set the same as the cable systems TFTP address, the modem will request the configuration file from the Ethernet port instead of the coaxial connection. Rumors have spread around that this flaw in the system was actually put there in testing when the modems were being designed and manufactured. That is why this exploit of the modem usually only works with Surfboards,
because most cable modems will not request the config file from the Ethernet port. Once your modem has downloaded the config from from you, the modem will function just as normal, however the speed settings will be changed. Keep in mind that your speed can never go faster than you can physically get. Noise to decibel plays a big part in this, if you are 10 miles away from your ISP (or from your local NODE’s Coax to fiber Router) you will probably surf slower than someone who is 1 mile away. This guide will show and explore how to exploit this and take advantage of your cable modem. Enjoy
STEP 1: Step 1: Gather information about your ISP's Cable System In this step, we gather information about your Internet Service Provider's server. First you need to know your TFTP server. A TFTP server is where your ISP keeps certain files, configs, or firmware updates etc. An ISP might have more than one TFTP server. Next you need to know your boot files name. A Boot file is the file that your ISP sends to your modem when if first connects to the service. The boot file is encoded with the MD5 algorithm fingerprint. (its a file protection scheme used over networks) This file contains many values, which we will discuss later.
Your going to need to know a few things. • Your Boot File Name • Your TFTP Server Address (usually the same as the DHCP) • Your Current IP I would also like to mention, that sometimes the TFTP server can be DIFFERENT from the DHCP server. So if your modem doesn't download the file once you have changed your IP, try to resolve another server that might have the correct IP. First, we need to find your TFTP server, this can be done many ways.
Click for a Larger View
The preferred way is to use the Step 2 Software from TCNiSO. Click Start Query, and it will retrieve the values from your modem. Note: This is also a good way to see if you are uncapped.
To find your DHCP server in the command prompt, Type ipconfig /all
To find your DHCP in a web browser, open to page http://192.168.100.1/address.html And you should see your DHCP IP in the DHCP Server Address table. Note: Some modems wont display the correct information.
To find your DHCP server in Query.exe, Type Your MAC Address into the field (Example 00:20:40:E2:CA:5C) and then click "Fetch". Note: Query may take up to 30 minutes while it tries to find the information.
Second, we need to find your Boot file's name. In Query, your boot file's name should be display. (But sometimes, it does not) DocsDiag can also show you the name of your file. A tutorial for it can be found Here. Now for most modems, you can find the boot file name in the Logs of your modem. The logs can be found here. http://192.168.100.1/logs.html 7Information
D509.0
Retrieved TFTP Config config_silver.cm SUCCESS
config_silver.cm is the Name of your Boot file (This file name WILL Vary from provider) Note: If non of these methods work for you, jump to Step 6 for an alternative way. Or try and use the Ethereal Solution.
How to Capture your information using Ethereal This tutorial shows you how to grab your TFTP server IP address and the name of your config file. Your ISP can do nothing to stop you from getting this information because it is necessary in order for your cable modem to function properly. Ethereal is a network interface sniffer, it sniffs network data packets. Using this application you can view the packets your ISP sends to your cable modem. Download Ethereal from www.Ethereal.com Install Ethereal, note: you may have to install libraries or runtime files to run it. Once you have it running.
Click on Capture and Hit Start, this will bring up the options window you see below.
Make sure your Interface is your network interface card. If you have multiple Network cards, make sure you select the one that is connected to your modem. Next, make sure UDP is typed into the Filter box. And finally, Check "Update list of packets in real time".
Now this process might take some time, but you will eventually see packets from your ISP server to your modem, or to other modems. The packets you are looking for will be of Protocol SNMP, the destination is usually 255.255.255.255. When you find the packet, take a look at the ASCII and inside that should be concealed the IP of your TFTP server and the config name of your ISP. Other notes, You will also be able to pick up the packets for business modems as well, that is, you will be able to see the config file name for faster configuration files. However, sometimes you will only be able to sniff them if they are on the same NODE as you.
STEP 2: Step 2: Download your ISP's configuration Or create your own. In this step, we retrieve the boot file so that we can modify it for the modem. The boot file controls the download speed, the upload speed, CPE (external devices that are assigned IP's), your frequency, and some other Misc. info. Your boot file is on a
remote server at your ISP known as the TFTP Server. Since ISP's will now try to make this difficult for you to retrieve this file, you can also create your own.
You can use the TCNiSO Step 2 Software to download your config
You can also retrieve your config from the Command Prompt. tftp -i GET C:\ For example, if your DHCP server is 24.25.26.1, your boot file is silver.cm you would type tftp -i 24.25.26.1 GET silver.cm C:\silver.cm
Since ISP's can enable there systems to only let cable modems download the files, you can try to "Spoof" your cable modems HFC Address. This can be done.
HFC Address Spoofing This concept was originally derived from Byter. The principle behind this technique is to make your computer look like your modem. The first thing you need to know is your HFC Gateway (the one you use to browse the internet)
You can get your HFC address by using your modems Internal Website Go to http://192.168.100.1/address.html and write down your HFC IP Address You can also get your HFC by using Tracert (incase your Web interface is disabled) At the command prompt type and run tracert -d www.microsoft.com The first IP listed should be your HFC IP (the first IP (The A Class) should start with a 10) Once you have that information, you need to change your computers IPs. If you need help changing your IP, read Step 4. Change your IP to the IP of HFC Address, and then add 1 to your D Class. For example, if your HFC Address was 10.2.65.3 then you change your IP to 10.2.65.4 Technically you could use any number in your D class, so if the number was 255 you could go to 254.
Now that you have changed your IP, you should be able to use the above programs or methods to retrieve your config. Once you have your config you can change your IP back or move ahead to Step 3. Note: When you change your IP address you may not be able to surf web pages. You can check out the Alternative HFC Spoofing technique here. STEP 3: Step 3: Change your config file to the desired speed. In this step, we take a closer look at your boot file (Config). And make necessary changes modification to change the speed . First we will decode your file, edit it, and then re-encode if for your modem.
Edit your config file using TCNiSO's own config editor called Docsis32Pro (byter)
This software makes it really easy to open up a config and change the speed values. You can find a copy of it in the Software section. For more Advanced users who wants to play with more settings. Or to create your own basic config file. Get ConfigEdit by need2down. You can also use this to create a config file in the event you don't have one. In the future we will release a easy to understand manual for all of the OID's, SNMP Objects and expressions.
Basic Config Definitions: MaxRateDown and MaxRateUp is your download and upload speeds, these values are displayed in bits. So 10000000 equals 10Mbits. Edit your MRD and MRU to your likings. Do not make these values unreasonable high. MaxCPE is the number of devices you can connect to the modem. For example, if you dont own a router but have a hub, you can connect extra computers to the modem. SwUpgradeServer is the server your modem will look at to receive updates. CmMic and CmtsMic are Check sum values for the config. Any line containing this should
be removed. GenericUnknownTLV, any line containing this should also be deleted. SnmpMibObject .1.3.6.1.2.1.69.1.2.1.7.1 = 4; that is, any line that contains this, with a number after the, values, can be deleted or the "=" replaced with the word "Integer" SnmpMibObject .1.3.6.1.2.1.69.1.2.1.4.1 = "public"; that is, any line that contains this, with a string after the values, should be deleted. Once you edit your config, make sure you name it the same as your original, this new file is placed in your existing directory. STEP 4: Step 4: Setup a TCP/IP Interface on the TFTP Server IP (Change IP) In this step you setup a client that we will use to act as a TFTP Server which we will then use to send your modem your config file. To do this, you need to have a Computer that is capable of running TFTP Software. You then will need to connect the computer to the modem through a Local Area Network (LAN)
Trouble Shooting Tip: Some times you need to unplug your modem when you change your IP. This has been reported to work on some machines when the normal method did not work.
In your Local Area Connection Properties, Choose Internet Protocol (TCP/IP) and Click Properties
Make sure your Using a Specified IP Address. Change your IP to that of your DHCP server's address. Change your Subnet mask to 255.255.255.0 Change your Default gateway to 192.168.100.1 (That is the IP of your Motorola Modem) Note: Your DNS server's does not matter when uncapping. Before:
After:
Click OK and your machine will make the changes without restarting Windows 98 Users: To change in Windows 98 or Windows ME, without restarting, follow these steps.. First you need to disable your Network Interface Card (NIC). Right-Click on "My Computer", go to properties. Then Go to the device managers tab and find your NIC Card under the Network Adapters. Find your NIC Card and click Properties. And under Device Usage, Check "Disable in this hardware profile". Click Ok then Click Close. Under your network properties, find your TCP/IP Protocol and Click properties.
Under the IP Address tab, Click Specify IP Address and fill in your TFTP Server IP and Subnet mask. Next Click the Gateway tab and add 192.168.100.1. When prompted to restart, Click NO. Now, once you change your IP, return to the Device Manager, and Enable your NIC Card. Once your NIC Card is functioning again. Click Close. Proceed to Step 5.
STEP 5: Step 5: Setup a TFTP on Your System And Upload the New Config Now that we have a computer setup with the IP of the TFTP Server, you must setup and install a TFTP Server. Once the Server is configured, the Cable Modem needs to be restarted, when the modem boots up, it should download the config from the server.
TCNiSO Step 5 (TFTP Server)
This application is really easy to use, just set your path of your config and click Start Server. Note: This application also pings your modem while attempting to send the file. (This is sometimes necessary for some modems.) And it also sets the Time of Day on your modem. You can also use tftpd32.exe. When you first run it, make sure it says "Listening on port 69" Before you make any changes to the Settings Tab. Click on Properties and Make the Following Changes. Security: Non (We don't want to Authenticate your modem do we?) Base Directory: The Directory your Edited config file is in. Use Tftpd32 only on this interface should be set to your DHCP server. Translate Unix file names (Unix systems don't support file names with Special characters or spaces.)
Click OK and Minimize tftpd32.exe Make sure your EDITED Boot file is in C:\ (Your Base Directory) Next, all you have to do is restart the cable modem. Unplug your modem then plug it back in. Your Power light should come on and start Flashing. Now notice your TFTP32.exe main Window. It should Say that your Modem is Asking for that Boot file, and your Server should Send it to your Modem. If your modem asks for any additional files, unplug your modem Copy and Paste your Boot file in your C: and Rename it to the file it was asking for.
As you can see, your modem should Request the file (in this case isrrlP1BW1.bin) And Your computer should send out the file it requests. If your modem accepts the edited file. You modem now has the edited file and is uncapped. Trouble Shooting Tip: If your modem requests the boot file several times, this is usually an error. The first thing you should do, is Check the modems logs and try to determine what that error is. If you see an error called 1-Emergency D8.0 TFTP Complete, but failed Integrity Check (MIC) This is the error that Invalid MD5 check is required. Try and use the MD5 Remover from the software section. Also, some users with SB3100's have had to ping their modems while they restarted it. To do this go into your command prompt and type "ping -t 192.168.100.1"
Copyright 2002 - DerEngel - CableModemHack.com in association with TCNiSO STEP 6: Step 6: Change your Settings back and Download Since you can not browse the internet with the settings of your ISP you need to change it back to the original settings. Once that is done, Download and Enjoy the Speed.
First Restore your TCP/IP Settings You must change your IP back to one that your ISP will allow you to have online. You can enter your original settings in here, or Set both settings to Obtain Automatically. Now, Return back to your TCP/IP Settings. Change your IP and your Default gateway back to how you had them before.
Click OK, and your computer will go should now return and should be online. With your modem running a new config file. You should you should be able to download and upload the maximum values physically possible. My favorite part. To test your connection, try to upload a MP3 or a file to a friend, or go visit a very fast website. Note: Some websites might not have enough bandwidth open for you to get fast speeds to.
Most Cable modems are not capped on the downstream, some are. Speeds will vary from your location and quality of your cable. If you found this Page useful or have ANY Questions, don't hesitate to Email me. If you want to help out, please donate 5$ through PayPal. Email Address:
[email protected] - It shows us your appreciation for all the hard work we have put into this project. One on One help can be available, also Visit our IRC Chan, we have much to offer for capped or uncapped people alike. If your Modem's Activity light is still on and you cannot seem to connect to the internet. Your Config file might Possibly be incorrect. Unplug your modem, Turn off your TFTP server, Plug back in your modem. Also, every time your modems power is cycled, you will need to Setup a TFTP Server to Resend the the edited config. Also keep in mind that there is new firmware floating around that ISP's can use to re-cap you permanently. So don't forget to check out the Firmware section. IRC Channel is #Surfboard on Efnet On a final note if your modem will not take the config file you are trying to send to it even after you use the md5 hack. Try uploading your original untampered config. If it will upload then you may be able to find faster files in your area. For faster files use those included in the onestep program and visit fibercoax.net for a config finder. Also currently surfboardhack.com also offers a finder called dfile thief. Have a nice day… Monkeywrencher
[email protected] For msn im And Nickadavid on AIM ALSO DON’T FORGET TO VISIT THEORYSHARE.COM
