did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

We're the #1 textbook rental company. Let us show you why.

9781593271015

Hacking the Cable Modem

by
  • ISBN13:

    9781593271015

  • ISBN10:

    1593271018

  • Format: Trade Paper
  • Copyright: 2006-09-06
  • Publisher: No Starch Press
  • Purchase Benefits
  • Free Shipping Icon Free Shipping On Orders Over $35!
    Your order must be $35 or more to qualify for free economy shipping. Bulk sales, PO's, Marketplace items, eBooks and apparel do not qualify for this offer.
  • eCampus.com Logo Get Rewarded for Ordering Your Textbooks! Enroll Now
  • Write a Review Icon Write a Review
List Price: $29.95

Summary

When freed from restrictions set by service providers, cable modems can be tricked out to reach unbelievably fast speeds. An underground network of hackers has discovered ways to get around the imposed speed limit, and those secrets are shared in Hacking the Cable Modem. Readers learn how cable modems work, and how to bypass security, install firmware updates, customise cable modems, increase upload and download speeds, unlock hidden features and more. Detailed illustrations and straightforward terminology show how to modify actual devices.

Author Biography

Profiled by Security Focus, TechTV, and the Register, DerEngel has been hailed as "the underground Prometheus of super-broadband." He has written several programs to simplify and streamline the uncapping process since he started hacking into cable modems five years ago. He currently heads TCNiSO, a group of hackers who have revolutionized reverse engineering techniques and produce free hackware.

Table of Contents

Introduction xix
My Origin xix
Why a Book on Hacking Cable Modems? xx
Why Should I Read This Book? xx
Cable Modem Hacking Secrets Exposed xxi
This Is the Only Book That Includes Everything! xxi
How This Book Is Organized xxi
Always Hack Responsibly xxiv
A History of Cable Modem Hacking
1(14)
In the Beginning
2(1)
The Cap
3(1)
DOCSIS: The Cable Modem Standard
4(1)
DOCSIS Takes Effect
4(1)
Finding the Holes
5(2)
TFTP Settings and Config Files
6(1)
ARP Poisoning
6(1)
How This Hack Could Have Been Prevented
7(1)
Cable Modem Hacking Begins
7(1)
Creating an Executable Hack
7(2)
Defeating the Message Integrity Check
9(1)
Fireball and Cable Modem Firmware
9(1)
How the Firmware Is Upgraded
10(1)
Isabella
10(1)
Controlling the Firmware with SIGMA
11(1)
DOCSIS 2.0
11(2)
Blackcat
12(1)
What's to Come
13(2)
The Cable Modem Showcase
15(12)
DOCSIS vs. Non-DOCSIS
16(2)
Standard Features
16(1)
Wireless Support
17(1)
Universal Serial Bus Port
17(1)
External Case
17(1)
Voice over IP Support
17(1)
Additional Features
18(1)
Purchasing Guide
18(1)
Available Features
18(1)
The Showcase
19(8)
A Faster Internet
27(8)
About Coaxial Cable
28(1)
Hybrid Cable Modems
28(1)
The Creation of DSL
29(1)
DSL vs. Cable Modem Service
30(1)
The Physical Network Layer
30(1)
Hybrid Fiber-Coax Networks
31(1)
Problems with Cable Modems
31(3)
Myths
32(1)
Sniffing
32(1)
What's Really Important?
33(1)
The Truth
34(1)
The DOCSIS Standard
35(12)
Cable Labs
36(1)
About DOCSIS Certification
37(1)
How Data Is Communicated
37(2)
Detecting Packet Errors
39(1)
The Basic DOCSIS Network Topology
39(3)
Data Link Transport Layer
40(1)
Media Access Control
41(1)
How Modems Register Online
42(1)
Versions of DOCSIS
43(2)
DOCSIS 1.0
43(1)
DOCSIS 1.1
44(1)
DOCSIS 2.0
44(1)
DOCSIS 3.0
45(1)
Consequences
45(1)
Why Certify?
45(2)
What's Inside?
47(8)
Opening the Case
48(1)
Debug Ports
48(1)
The Microcontroller
48(1)
Input/Output Ports
49(1)
Hardware Components
50(5)
Firmware
55(8)
Overview of Hardware Components
56(1)
Flash Memory
56(1)
MIPS Microprocessor
57(1)
VxWorks Operating System
58(1)
Bootup Process
58(1)
Firmware Upgrade Process
59(1)
Firmware Naming Scheme
60(1)
Study the Firmware
61(2)
Our Limitations
63(10)
Restrictions on Technology
64(2)
Why the Limits?
64(2)
Restrictions on Cable Modems
66(3)
The Cap
67(1)
Network Overhead and Bottlenecks
68(1)
Removing Port Restrictions
69(3)
Using the VxWorks Shell (Surfboard-Specific Solution)
70(1)
Using SNMP (Generic Solution)
71(1)
Know Your Limitations
72(1)
Reverse Engineering
73(8)
A History of Reverse Engineering
74(1)
Recommended Tools
74(3)
Soldering Irons
74(1)
Dental Picks
75(1)
Cutting Tools
75(1)
Chip Quik
75(1)
Desoldering Braid
76(1)
Opening the Case
77(1)
My Methods
77(4)
Record Everything
78(1)
Download the Firmware
79(1)
Research the Components
79(2)
Cable Modem Security
81(8)
Upgradeable Firmware
82(1)
Message Integrity Check
82(2)
Minimal User Interaction
84(1)
Cryptography
84(1)
Certification
85(1)
Dynamic Configuration
86(1)
Other Security Measures
87(2)
Buffer Overflows
89(18)
Types of Buffer Overflow Attacks
90(1)
The Origin of Buffer Overflow Vulnerabilities
90(1)
Developing a Buffer Overflow Exploit
90(1)
The Long Process
91(1)
The Phone Conversation
92(1)
The Drawing Board
92(1)
The Dead Modem
93(3)
A Quick Lesson About MIPS Assembly Language
94(2)
Disassembling the Firmware
96(3)
Our Downfall
99(1)
Our Comeback
100(1)
No Time to Rest
101(2)
The Source Code
103(4)
Sigma Firmware
107(8)
Interface
108(1)
Features
109(2)
Advanced Page
110(1)
Addresses Page
110(1)
Configuration Page
111(1)
A New Kind of Sigma
111(1)
Sigma-X
112(1)
Symbol File
112(1)
Telnet Shell
112(1)
Sigma Memory Manager
112(1)
The Finished Firmware
113(1)
The Future
113(2)
Hacking Frequencies
115(10)
The Difference Between DOCSIS and EuroDOCSIS
116(1)
Changing a Surfboard Modem's Frequency Plan
117(6)
Using the VxWorks Console Shell
117(4)
Using SNMP
121(1)
Using the Surfboard Factory Mode
122(1)
When It Doesn't Work
123(2)
Useful Software
125(12)
Necessities
125(1)
FileZilla Server
126(1)
TFTPD32
126(2)
TCPOptimizer
126(1)
HexEdit
127(1)
OneStep
127(1)
Information Discovery Software
128(2)
DocsDiag
128(1)
Net-SNMP
129(1)
Ethereal
129(1)
DiFile Thief
129(1)
Soft Modding Software
130(1)
Hard Modding Software
130(2)
EtherBoot
131(1)
Schwarze Katze
131(1)
Fireball Software
132(2)
Firmware Image Packager
132(1)
Patch!
133(1)
Disassembler
133(1)
Symbol Utility
133(1)
The Firmware Assembler
133(1)
Advanced Software
134(1)
The Interactive Disassembler
134(1)
SPIM
134(1)
Reverse Engineering Compiler
135(1)
Advantages of Firmware Hacking
135(2)
Gathering Information
137(8)
Using the Modem's Diagnostic HTTP Pages
137(1)
Using Ethereal to Find Configs
138(3)
Set Capture Options
138(2)
Set Up an Express Filter
140(1)
The Ethereal User Interface
141(1)
Using Coax Thief
141(1)
Using SNMP
142(1)
SNMP Scanner
143(1)
DocsDiag
143(1)
Using Sigma
143(2)
NodeScanner
143(1)
Coax Side Sniffer
144(1)
The Blackcat Programmer
145(8)
In the Beginning
146(1)
Developing Blackcat
146(1)
Building a Blackcat Cable
146(3)
Parts List
147(1)
Schematic
147(1)
Constructing the Cable
148(1)
Connecting the Cable
149(1)
Obtaining the Software
149(2)
The Blackcat Engine
150(1)
The Graphical User Interface
150(1)
How to Hack a Surfboard SB5100
151(2)
Traditional Uncapping
153(6)
Step 1: Know Your ISP
154(1)
Step 2: Retrieve the Config Files
154(1)
Step 3: Change Your Config File
155(1)
Step 4: Change Your IP Address
155(2)
Windows 2000 and Later Versions
155(1)
Windows 98/98 SE/Me
156(1)
Step 5: Upload Your Own Config File
157(1)
Uncapped
157(2)
Building a Console Cable
159(10)
The Console Port
159(2)
What Is TTL?
160(1)
Examining the Schematic
160(1)
How to Build a Console Port
161(7)
Step 1: Gather the Parts
162(1)
Step 2: Gather the Tools
163(1)
Step 3: Put the Pieces Together
163(1)
Step 4: Connect the RS-232 Cable
164(1)
Step 5: Connect the TTL Lines
165(1)
Step 6: Connect the Cable
166(1)
Step 7: Test Your Console Cable
167(1)
Limitations of a Console Port
168(1)
Changing Firmware
169(14)
Standard Methods
170(3)
Method 1: Using a Config File
170(1)
Method 2: Using SNMP
171(2)
Changing Firmware on SB4xxx Series Modems
173(9)
Using Shelled Firmware
173(1)
Using Open Sesame
174(1)
Using Blackcat
175(1)
Using the Console Port
176(4)
Accessing the Developers' Back Door
180(2)
Changing Firmware on SB5100 Series Modems
182(1)
Hacking the RCA
183(6)
Opening the Modem
184(1)
Installing the Console Cable
185(1)
Shorting the EEPROM
186(1)
Permanently Enabling the Developer's Menu
187(1)
Changing the HFC MAC Address
188(1)
Hacking the Webstar
189(8)
Installing a Console Cable
189(2)
Bootloader Commands
191(1)
The Firmware Shell
192(2)
Hacking the Web Interface
194(1)
New Possibilities
195(2)
The Surfboard Factory Mode
197(20)
About the Surfboard Factory Mode
198(1)
Finding the Exploit
198(3)
The Importance of Assembly Code
198(3)
Enabling Factory Mode
201(1)
Enabling Factory Mode in Sigma
202(1)
Using Factory Mode
202(1)
Changing the HFC MAC Address
203(1)
Changing the Serial Number
203(1)
The Factory MIB Look-up Table
203(3)
cmFactoryDbgBootEnable
205(1)
cmFactoryHtmlReadOnly
206(1)
Hacking with the Surfboard Factory Mode
206(4)
Devising a Plan
206(1)
Creating Executable Data
206(1)
Writing Data to Memory
207(1)
Executing Your Data
208(1)
Wrapping Up
209(1)
Viewing the Result
210(1)
Using Factory Mode to Change Firmware
210(5)
Writing a Function to Change Firmware
210(1)
The Symbol Table
211(1)
The ChangeFirmware() Assembly Function
211(4)
Downgrading DOCSIS 1.1 Firmware
215(1)
Patching the Upgrade Procedure
215(1)
Obtaining Digitally Signed DOCSIS 1.0 Firmware
216(1)
Downgrading the Firmware
216(1)
Additional Resources
216(1)
Hacking the D-Link Modem
217(14)
The Diagnostic Interface
217(2)
System Info Page
218(1)
Cable Status Page
218(1)
Signal Page
219(1)
Event Log Page
219(1)
Maintenance Page
219(1)
Hacking the DMC-202 Using the Telnet Shell
219(8)
The Main Menu and Beyond
220(6)
How to Change the MAC Address
226(1)
How to Change the Firmware
226(1)
The Production Menu
227(3)
How to Access the Production Menu
228(1)
How to Change the Hardware Parameters
229(1)
Why Open the Case?
230(1)
Securing the Future
231(14)
Securing the DOCSIS Network
231(1)
What Network Engineers Can Do
232(9)
Upgrade to DOCSIS 1.1/2.0
233(1)
Disable Backward Compatibility
233(1)
Enable Baseline Privacy (BPI/BPI+)
233(1)
Create Custom CMTS Scripts
234(1)
Prevent MAC Collisions
234(2)
Consider Custom Firmware
236(1)
Use Signed Firmware
236(1)
Secure the SNMP
237(3)
Use Active Monitoring
240(1)
Keep Up to Date
241(1)
Cable Modem Hackers
241(2)
Hackers Often Use Spare Modems
241(1)
Hackers Rarely Use Their Own MAC Addresses
241(1)
Hackers Often Use Common Exploits and Hacks
242(1)
When the Cable Company Finds Out
242(1)
The Future
243(2)
A. FREQUENTLY ASKED QUESTIONS
245(12)
General Questions
245(7)
Do I need cable television in order to have cable Internet?
246(1)
How do I know if my service provider is DOCSIS or EuroDOCSIS?
246(1)
Which was the first cable modem to be hacked?
246(1)
My cable modem has both a USB and an Ethernet interface. Which one should I use?
246(1)
Is it possible to change the MAC address of a cable modem?
247(1)
Can two computers use one cable modem to access the Internet?
247(1)
Can two cable modems go online with the same MAC address?
248(1)
Which cable modems can be uncapped (or are hackable)?
248(1)
Should I uncap my cable modem because my service is slow?
248(1)
Is DOCSIS 2.0 faster than DOCSIS 1.1?
248(1)
What does the term ``uncapped'' mean?
249(1)
How can I change my modem's firmware?
249(1)
Where is my modem's diagnostic web page?
249(1)
How do I unblock port ....?
250(1)
What is Sigma firmware?
250(1)
Can I use a router with Sigma?
250(1)
Can I download the config file from a cable modem?
251(1)
If I am uncapped, how fast can I download or upload?
251(1)
Are there any good Internet cable modem resources?
251(1)
Can I contact you?
252(1)
Motorola Surfboard-Specific Questions
252(5)
How many different Surfboard models exist?
252(1)
What are the differences between the SB4100 and the SB4101?
253(1)
What are the differences between the SB5100 and the SB5101?
253(1)
Can I install EuroDOCSIS firmware into a DOCSIS modem (or vice versa)?
253(1)
Are there any secret web pages in Surfboard modems?
254(1)
Can I change the Surfboard's default IP address, 192. 168. 100.1?
254(1)
Can I turn off the standby feature through the Ethernet port?
254(1)
Can I disable the DHCP server on a Surfboard modem?
255(1)
Can I remove the community string from my cable modem's SNMP server?
255(1)
Which Surfboard modems are compatible with DOCSIS 1.1?
255(2)
B. DISASSEMBLING
257(12)
Obtaining Firmware
257(2)
On the Web
258(1)
From Your Service Provider
258(1)
Directly from the Flash
258(1)
Unpacking a Firmware Image
259(3)
Uncompressing Firmware for SB3100, SB4100, and SB4200 Modems
259(2)
Uncompressing Firmware for the SB5100 Modem
261(1)
Extracting the Symbol File
262(2)
Writing a Program to Extract the Symbol File
263(1)
Creating an IDC Script
264(3)
Setting Up the Interactive Disassembler
265(1)
Working with the Interactive Disassembler
266(1)
Using What You've Learned
267(2)
C. CROSS-COMPILING
269(8)
Setting Up the Platform Environment
270(1)
Emulating a Linux Environment
270(1)
Compiling the Cross-Compiler
271(1)
Compiling the GNU Compiler Collection (for MIPS)
271(1)
Compiling Your First Program
272(1)
Loading the Compiled Program into Your Cable Modem
273(1)
Obtaining Plug-ins
274(3)
TftpGet
274(1)
nmEdit
275(2)
D. ACRONYMS
277(4)
Index 281

Supplemental Materials

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.

Rewards Program