Hacking Cable Modem Config File

Recently, I stumbled upon an old cable modem sitting next to the dumpster. An neighbor just moved out and they threw away boxes of old junk. I was excited because the modem is much better than the one I currently use and has fancy features like built in 5GHz WiFi and DOCSIS 3.0 support. When I called my Internet service provider to activate it though, they told me that the modem was tied to another account likely because the neighbors did not deactivate the device before throwing it away. The technician doesn’t have access to their account so I would have to either wait for it to be inactive or somehow find them and somehow convince them to help me set up the modem they threw away.But hackers always find a third option. I thought I could just reprogram the MAC address and activate it without issue. Modems/routers are infamously easy to hack because they always have outdated software and unprotected hardware.

Hacking Modem For Free Internet

Almost every reverse engineering blog has a post on hacking some router at some point and every hardware hacking “training camp” works on a NETGEAR or Linksys unit. So this post will be my rite of passage into writing a “real” hardware hacking blog. BPI+Getting access to a shell was laughably easy so I won’t even go into details. In short, I Googled the FCC ID found on the sticker and found the full schematics for the board along with part numbers of all the chips (such information is required in the FCC approval process but most companies request that it be kept confidential). Through the schematics, I found the UART console, which was nicely exposed through some unfilled port. In fact, I did too much work here because after opening the device up, I found the word “CONSOLE” printed on the solder mask right next to those ports.

After soldering some headers to it, I was able to connect it to my Raspberry Pi and enter the root shell without needing any password. The whole process took about an hour–the most time being trying to physically open the plastic shell because (and this may be surprising) hackers are not the epitome of physical strength.Once I got a shell, I dumped the flash memory and I grepped for the MAC address printed on the label (trying hex, ASCII, and different separators). I found a file in a partition labeled NVRAM containing the MAC address. The file does not appear to have any checksums, so I just replaced it with a new MAC, rebooted and nothing. The modem refused to establish a connection. That’s when the real work startedThe first clue was looking around in the NVRAM partition and finding a set of certificates signed for the modem’s MAC address.

Googling “DOCSIS certificate” led me down the rabbit hole of modem cloning, service stealing, bandwidth unlocking, and so on. I learned about how not too long ago, people would modify their modem configuration files in order to unlock higher speeds than what they paid for (if anything at all). As ISPs clamped down and secured their infrastructure, the hackers moved on to “cloning” modems by finding the MAC address of an existing subscriber and reprogramming their modem to use the same MAC address in order to steal service. As a result of all this, the DOCSIS 1.1 specification established a PKI system of validation for MAC addresses.First, I generated a set of self-signed certificates for my new MAC address. Surprisingly, I was able to provision the modem and my ISP accepted the certificate and gave me an IP address. Unfortunately, I was not able to access the Internet and even using my old router’s MAC address did not work. My guess is that self-signed certificated are used by engineers to test the network and therefore do not allow access to the Internet.

How To Clone A Modem

It likely also has to do with protections against “simple” cloning. Now my plan is to get a new set of certificates from an unactivated device. I went on eBay and bought a broken SurfBoard SBG6580. The reason for this model is purely because it was the cheapest one I could find.

Since it was broken, it is more likely that it’s deactivated. Dumping SBG6580Unfortunately, the FCC does not have the schematics for this device public but a quick inspection showed that the chip labeled Spansion FL128SAIF00 is a 16MiB SPI based flash memory with the datasheet being easily available online.

Hacking Cable Modem Config File Editor

Being a TSOP chip, it is easy enough to solder wires to and luckily I remembered from back when I downgraded my PS3 and that it has SPI dumping support. I connected the Teensy2 and patched in support for detecting this chip.binwalk was able to find some embedded certificates.

I’ve been developing software for over 25 years. My ISP refuses to let me purchase my own DOCSIS modem and I MUST use their piece of S#IT (POS). I was searching for a way of spoofing the MAC Addr so that I could use my own modem.Even with the 25+ years of software dev what you describe sounds like fun but not simple (not for an old dog like myself anyway).

I was hoping for a silver bullet. I’ve tried to ssh into the POS modem but it’s locked down pretty well (probably a result of safeguards against the rabbit hole of modem cloning, etc.)Thanks for the entertaining blog post and a trip back down memory lane back when 4K was considered a lot of memory. This article is excellent, but at the same time, showede how “out of my league” is all this procedure.As others posted here, I’m stuck with an old cable modem with DOCSIS 2.0 on it.