Haxorware Manual

Haxorware Modem Firmware This book is intended to be a manual for Haxorware which is a custom cable modem firmware. This is a legal firmware change. This book is NOT intended to demonstrate or condone an y illegal practices. DO NOT add information to this book regarding ANY theft of service!

Overview Current Revision: 1.1 R39 Webstar  Compatibility: All BCM3349 chipset based modems (Including SB5101/E/i, SB5102/E/i, Webstar  DPC2100R2, RCA DCM425, Ambit 250/255/256) Versions: DIAG & LITE.

DIAG • • • • •

Might not perform optimally on a 8MB ram modem (16/32mb upgrade recommended). rec ommended). Based on sb5102u/n firmware (which includes diagnostic output, console and SPI support) Much more Verbose to troubleshoot issues. Standby button does not work  Memory leak on SPI modems fixed in Rev39

LITE • • • •

•

Based on sb5101e firmware Does not support SPI flash based modems. Crippled shell & much less diagnostic output in telnet/serial. Static IP option is missing because there is no ipconfig command in the shell anymore (and the entire /ip page is missing too). The standby button on a 5101 works in LITE

Haxorware Modem Firmware/Installation Installation varies based on your available method. Some methods require different hardware modifications such as a Jtag or serial connector (outside the scope of this pdf) ALW ALWAYS backup current firmware. If you flash a 2mb dump over the existing firmware you will lose the modems original certificates forever.

JtagUtility Instructions: If your modem is currently running infinite firmware it is recommended to restore it to stock, like it was out of the box. To do this you restore your 2MB backup that i hope you made before flashing infinite. The commands are as follows: f ollows: detect ldram 9fc00000 (A File Open dialog will appear, find your 2MB backup file and click open) program 9fc00000 200000

It is recommended you make a backup before flashing haxorware (or any other hacked firmware) onto your modem. To create a 2MB backup with JtagUtility, enter the following commands: detect getram 9fc00000 200000 save 9fc00000 200000 (A save as dialog will appear, choose where to save your 2MB backup)

To program haxorware to your modem using JtagUtility, JtagUtility, issue the following commands: detect ldram 9fc10000 A File Open dialog will appear, find the haxorware firmware file you want (haxorware11revXX-XXXX. (haxorware11revXX-XXXX.bin) bin) and click open program 9fc10000 130000

After the flashing is complete, reboot your modem and enjoy Haxorware

Flashing over serial: Diagnostic cable instructions (requires noisy bootloader): Set your computers ip to 192.168.100.10 Set up a TFTP server with haxorware11revXX-XXXX.bin in its root Connect to modem with hyperterminal or putty (with changed CR/LF to LF) While modem is turning on press p (you should get a prompt) If you do not get a prompt for pressing p, your modem does not have a noisy bootloader, and you will have to use JTAG Set the Modem IP to 192.168.100.1 Leave everything else at their defaults (just press enter) When you get at the bootloader menu press d Enter 192.168.100.10 192.168.100.10 as TFTP IP Enter haxorware11revXX-XXXX.bin as filename It should download (the dots indicate progress) When asked what image to save to, answer 1 Answer y to the "Store uncompressed image" prompt press b once you are back at the menu to boot the modem

USBJTAG Instructions: If your modem is currently running infinite firmware it is recommended to restore it to stock, like it was out of the box. To do this you restore your 2MB backup that i hope you made before flashing infinite. The commands are as follows: detect ldram 9fc00000 (A File Open dialog will appear, find your 2MB backup file and click open) program 9fc00000 200000

It is recommended you make a backup before flashing haxorware (or any other hacked firmware) onto your modem. To create a 2MB backup with usbjtag enter the following commands: detect getram 9fc00000 200000 save 9fc00000 200000 (A save as dialog will appear, choose where to save your 2MB backup)

To program haxorware to your modem using USBJTAG, please overwrite your usbjtag.def with the one from this archive. After that, start USBJTAG and choose the SB5101 profile (Tools->Config will open the profile selection dialog) Then issue the following commands: detect ldram Firmware (A File Open dialog will appear, find haxorware11revXX-XXXX.bin and click open) program Firmware

After the flashing is complete, reboot your modem and enjoy Haxorware

USBJTAGNT Instructions: If your modem is currently running infinite firmware it is recommended to restore it to stock, like it was out of the box. To do this you restore your 2MB backup that i hope you made before flashing infinite. The commands are as follows: detect ldram 9fc00000 (A File Open dialog will appear, find your 2MB backup file and click open) program 9fc00000 200000

It is recommended you make a backup before flashing haxorware (or any other hacked firmware) onto your modem. To create a 2MB backup with usbjtag enter the following commands: detect getram 9fc00000 200000 save 9fc00000 200000 (A save as dialog will appear, choose where to save your 2MB backup)

To program haxorware to your modem using USBJTAGNT Start USBJTAGNT and choose the SB5101Mod profile (Tools->Config will open the profile selection dialog) Then issue the following commands: detect ldram Firmware (A File Open dialog will appear, find haxorware11revXX-XXXX.bin and click open) program Firmware

After the flashing is complete, reboot your modem and enjoy Haxorware

Upgrading from previous shelled firmware (infinite) or Haxorware 1.0 Set your computers ip to 192.168.100.10 Set up a TFTP server with haxorware11revXX-XXXX.bin in its root Make sure the haxorware webgui isn't currently open Connect to modem with hyperterminal or telnet to the IP 192.168.100.1 Enter your username and password cd /ip ipconfig 1 release y dload -i 1 -l -f 192.168.100.10 haxorware11revXX-XXXX.bin y cd / reset

Haxorware 1.1 should now boot

Upgrading from Haxorware 1.1 Make sure the modem's cpu usage is low, so if it's currently scanning for downstream make it stop by going to the web shell and doing cd /docsis scan_stop The safest time to do the Firmware Upgrade is when the modem is fully operational and online. Then use the Firmware Upgrade page on the WebGUI, find haxorware11revXXXXXX.bin and upload it to the modem in the Firmware section Reboot the modem using the WebGUI or otherwise, and the new version of Haxorware should now boot

Haxorware Status/Overview

HFC Parameters Mode DHCP assigned address or Static IP Address Your currently assigned IP address Subnet Subnet mask applied to your IP address TFTP Server "Provisioned" Config file name assigned by your isp TFTP Filename “Provisioned" Config file name assigned by your isp ToD Server "Provisioned" Time Of Day server IP assigned by your isp to synchronize against. Configuration file Name "Actual" Config file name in use. when using one different from what was assigned by the ISP the filename shows here. Size Config file size 'Compliance ' DOCSIS version compliance of this config file.

Haxorware Status/Signal

Downstream Frequency This is the frequency your downstream channel is on Status Whether the channel is locked or in process Annex DOCSIS or EURODOCSIS Modulation Modulation rate such as QAM256, QAM16, etc. Higher is faster. Symbol Rate Number of symbols per second. Receive Power Downstream channel signal strength measured in dBmV. Signal to Noise ratio SNR measured in Decibles (Higher is better)

Upstream Frequency This is the frequency your upstream channel is on Channel ID Upstream channel number  Status Whether the channel is locked or in process Mode TDMA or ATDMA. (ATDMA is faster) Symbol Rate Number of symbols per second. Transmit Power Broadcast signal strength to the head end at your ISP measured in dBmV

Haxorware Status/Event Log

Displays Events and errors in operation

Haxorware Configuration/Settings

settings Factory Mode This forces the modem to behave as if it was supplied by the ISP and bypasses customs settings. Disable Firmware Upgrades This option will force Haxorware to ignore new modem firmware  pushes from the ISP. Unchecking this could compromise your Haxorware install. Force Network Access Tftp Enforce Bypass If your ISP enforces Tftp config file this option will tell the modem to download the supplied config file at the right point - even if you are using another one. Disable IP Filters on startup IP filters are used by some ISP's to block traffic of certain types on certain ports (such as if your ISP blocks port 80 to prevent you from hosting a web server). This option bypasses them entirely

Timeouts Ignore T1 (No valid UCDs) Ignore T2 (Ranging Opportunity) Ignore T3 (Ranging Response) Ignore T4 (Station Maintenance)

Administration Control Panel IP Address Set a different IP than standard here if necessary DHCP Server Check this to assign the IP to WAN on router or to PC. Uncheck this ONLY if you have it set manually.

WebGUI Password protection enable or disable Password protecting the GUI from tampering.

Telnet Server Current state Whether Telnet services are running Run on startup Whether Telnet should start when the modem is booted, or only when manually enabled.

Haxorware Configuration/Frequency

Annex - Choose DOCSIS or EURODOCSIS based on your region. Plan Choose the type matching your region. Preferred DS Freq 1, 2, & 3 is displayed in "Hz" not "mhz" (for example - 600mhz would actually  be entered as 600000000) These are the frequencies checked first before scanning. Upstream Channel This is the preferred upstream channel to try before scanning for available channels.

Haxorware Configuration/Addresses

Addresses HFC MAC This is the Mac address your ISP will see for this modem. Changing this to a number  that does not have factory certificates loaded will generate a self signed certificate. Most ISP's do not accept self signed certificate in BPI+ docsis 1.1 mode. Click copy from certificate to change  back to mac for current certificate. Ethernet MAC This is the mac address your computer or router sees when querying the modem via ethernet USB MAC This is the mac address your computer or router sees when querying the modem via usb Serial Number This is the Serial number for the modem presented upon query

Certificate generation Certificate type When generating certificates this is the type of certificate preferred

Haxorware Configuration/Config File

Force Config File Server IP This is the IP address of the TFTP server hosting the config file you want to run. File name This is the filename of the config file you want to pull from the above IP

Autoserve Autoserve Config File Disabled until new config is uploaded. Some ISP's can be tricked to allow you online using a config file saved directly to your modem instead. Store new config Where you upload a stored config file.

Haxorware Configuration/Baseline Privacy

Baseline Privacy BPI Baseline privacy version running. BPI 1.1 must be enabled to use docsis 1.1 config files with valid certificates. Bypass must be enabled to use 1.1 configs with self signed certificates but will not work on all providers

Backup/Restore Backup Backup your current certificate set Restore from filesystem Restore uploaded or previously backed up certificate sets Restore from file

Certificate Download Download individual certificates

Certificate Upload Upload individual certificates here

Haxorware Advanced/Static IP

Force Static IP Check this to force your modem to override any DHCP assigned Information to the contents below. Note that this does not stop your provider from assigning your IP to another user  since you did not pull from their pool. Suppress DHCP Requests Check this to ignore any requests from the provider to provide your  modem with a DHCP lease IP Address Enter your desired IP Address here Subnet Mask  Enter the applicable subnet mask here Gateway Enter the appropriate gateway here TFTP IP Enter your desired TFTP server IP address here TFTP Filename Enter the Configuration filename on the TFTP server provided you wish to run ToD IP Enter your desired Time Of Day server address here. This is generally the same as the TFTP server IP

Haxorware Advanced/Stealth

Modem Identifiers Vendor Enter the manufacturer you want to emulate or tell the ISP you are running Model This is where you enter the Model number information you want to supply Software Version This is where you enter the firmware version you want to supply Override Hardware Version Check this to supply a different hardware version to the vendor other  than what it is. Hardware Version Enter the hardware version you want to supply here Override Bootloader Revision Check this to override the default bootloader revision sent to your  ISP Bootloader Revision Enter revision information here

SNMP Agent Server Port Port number for snmp scans Disable SNMP Agent after registration Check this to disable snmp probe requests from your isp after initial registration when the modem goes online (recommended) Redirect SNMP Traps When SNMP requests are sent redirect them to another device and port (such as another modem on the network) IP IP address to redirect to Port Destination port at redirected IP

Haxorware Advanced/Downloader

This page allows you to download config files from your ISP's TFTP server to examine them with  programs such as vultureware or autoserve them from the modem. The IP address and Filename may be entered here, and clicking download will prompt you with a file save dialog box.

Haxorware Advanced/File Manager

Free Space Before Defragmentation Size in KB before a defragmentation is performed After Defragmentation Size in KB after a defragmentation is performed

Haxorware Configuration Config File This allows you to Download or Delete the existing config file stored in the modem File Size Filesize of config file in Bytes Entries Number of entries in the config file

Restore From File 'Files' Previous backup files or uploaded files are shown here which can be downloaded or deleted in the following format: CMXXXXXXXXXXXX.tar (size in bytes) (option)Download Delete

Upload New File Choose file dialog prompted when this is clicked. Click upload after picking file to upload

Haxorware Web Shell

Any Shell commands can be entered here. These are generally commands you might use when at a file system shell (such as telnet) without having to open an actual session.

Haxorware Backup and Restore

Here you can Backup either your nonvol information, or do a FULL firmware backup (2MB) to a file. When you click backup you get prompted with a file save dialog. You also can restore a previously backed up Nonvol here in case of issues

Haxorware Firmware upgrade

Firmware upgrade Firmware Image Pick the file you want to upload. Be sure to pick the right one. Haxorware DOES however have provisions to prevent drastically wrong choices (such as accidentally picking a 10kb text file)

Bootloader upgrade Bootloader Image Update the bootloader only (such as if you need to load the noisy bootloader to diagnose issues)

Haxorware Factory Defaults

clears all dynamic settings such as preferred downstream frequencies, upstream channel IDs and their power levels.

Haxorware About

Information about Haxorware

Haxorware Reboot Modem reboot page

Relevant Links • •

http://www.sbhacker.net http://www.haxorware.com

Original idea educate taken from the wiki article here http://en.wikibooks.org/wiki/Haxorware_Modem_Firmware