Sunday, March 02, 2008
Note: much of the information in this tutorial is taken from the book, "Hacking the Cable Modem"
This is the original (revising) uncapping tutorial that was published in early 2001. It includes every step necessary to remove the bandwidth restrictions on older cable modems, such as the popular Surfboard series (models SB4200 and older with their original firmware installed). While it is now obsolete, it is still important to understand how this hack works, because it may still come in handy. And of course, no cable modem hacking book would be complete without it.
Basically, this hack has you send the cable modem your own config file instead of the one that the modem downloads from the service provider using a common hacking technique called ARP poisoning. By setting up your own TFTP server on the same IP as your service provider’s TFTP server, you overwrite the CACHE table in the modem forcing it to download the registration config from you instead of the service provider.
I have tested this exploit on Surfboard models SB2100, SB3100, SB4100 and SB4200 with factory loaded firmware, as well as the 3com Sharkfin modem. If your modem has newer firmware installed, you will need to downgrade your firmware before continuing.
Step 1: Know your ISP
Before you continue you need to know a few things about your service provider (ISP). First, you need to know the filename of the config file that your cable modem downloads each time it is powered on. Second (and most importantly), you need to know the IP address of your service providers TFTP server (the server of where the config file is located).
This knowledge is very basic and well known to any experienced cable modem hacker. To find this information for your self, try looking for it from your cable modem's diagnostic pages (http://192.168.100.1) or use OneStep's SNMP utility.
Step 2: Retrieve the config files
The config file the modem downloads when registering contains the modem’s service parameters which may include information such as the SNMP’s community string. It is important to have your original config file, as well as any additional config files available.
Download your modem's config file
You can use the Step 2 software to accomplish this or you can use the TFTP client feature from TFTPD32 to “GET” the config file as shown in the above picture. You can also run "tftp -i <TFTP_IP> GET <CONFIG_NAME>" from the command prompt, filling in the values for the italicized information with the information you gathered from Step 1. Executing this command will download the config file and save it in the root directory of your hard drive.
If you are having problems downloading your config file, try to spoof your modem’s HFC IP. To do so, use the Ethernet MAC changer in the Coax Thief software to change the IP of your Ethernet card’s interface to that of your modem’s HFC IP. This, will, in turn, change the IP in your UDP packets that contain the TFTP “GET” request, thus bypassing one way that a service provider can block certain TFTP sessions.
Step 3: Change your config
The purpose of this step is to change the config that the modem will download. You may first want to open your config using a config editor such as the Step 3 software or DiFILE: CPE as shown in the image below, change the MaxRateDown and MaxRateUp values, and save the revised file. However, since most service providers prevent you from editing your own config file, it is usually more useful instead to select a copy of a config that you downloaded in Step 2.
The speed values for DOCSIS 1.0 configs are specified in the config files themselves, under the Class of Service marker. After downloading config file variants, open them in the config editor to view the upload and download values, which are represented as bits per second. Usually there will be one or two config files whose values are faster than the values in your regular config file. For example, the image below shows the config file “DEF005.cfg” in a config editor. The download speed is 3 Mbits per second and the upload speed is 300 Kbits per second.
Use a config editor to check each configs speed
Step 4: Change your IP
A network controller, such as an Ethernet card, usually receives an IP address from a DHCP server and configures itself accordingly; however the purpose of this step is to temporarily configure your network controller yourself by changing the IP address to a specific one.
Windows 2000 and higher
Newer versions of Windows have a built in function for reassigning an IP address in real-time without restarting. Additionally, the native console application “net.exe” can be used to change the IP address of a network adapter. But try this way:
1. Right click on “My Network Places” and select properties.
2. Select the connection for your Ethernet card (default is: Local Area Connection), to bring up a window similar to the image below.
3. In the scrollable box, click on Internet Protocol (TCP/IP) then click Properties. This is where you can change the IP address of your network interface card.
Changing the IP address of an Ethernet card
4. From this window, select “Use the following IP address:” then enter the IP address of your service provider’s TFTP server, the subnet mask of “255.255.255.0” and the gateway “192.168.100.1”. Then click “OK” twice to close out of these dialog boxes.
Windows 98 / 98SE / ME
1. Right click on “My Computer”, and then select properties.
2. Go to the Device Manager’s tab and find your NIC card under the drop down section labeled “Network Adapters”.
3. Right click on this and select properties. Under the section labeled “Device Usage”, check “Disable in this hardware profile” and click “OK” then click “Close”.
4. Go to your TCP/IP protocol properties under your network properties and find the “IP Address” tab.
5. Click the button “Specify IP Address” and enter the IP of your service providers TFTP IP and subnet mask “255.255.255.0”, then go to the “Gateway” tab and add the gateway “192.168.100.1”.
6. Click “OK” and when prompted to restart, click “No”.
7. Finally, return to your “Device Manager” and re-enable your NIC card under the network adapter properties.
Step 5: Upload your own config file
The final step is to trick your cable modem to download its config file from you instead of your service provider. After your modem downloads your config file it will register with that file instead of the file it would normally download.
1. Install and setup a TFTP server (for example: TFTPD32 or OneStep) and copy the config file you chose from Step 3 into the root directory of the TFTPD software.
2. Rename this config file to match the name of the original config file that you learned from Step 1.
3. Unplug your cable modem and plug it back in. The modem will connect and download the config file from your PC instead of the real config file from your service operator. If everything is successful, your cable modem will register online with the config file you sent it. If your modem requests the config file multiple times from your TFTP server, this usually indicates that it could not register the config file on your ISP and you will need to try another config file.
4. Finally, in order to browse online, change the IP address of your network controller back to its original settings.
The speed of the modem is now the rate values specified inside the alternate config file. Your modem’s new speed will only last for the duration of its online cycle. If the modem is rebooted it will reregister with your service provider and download the config file from the original TFTP server, unless the modem has been modified with a firmware enhancement such as SIGMA.
The term “uncapped” is often used to describe a modem which has had its normal speed restrictions modified. When a cable modem is fully uncapped, it can download and/or upload at its physical limit, which is usually the result of a combination of the local line noise and the bandwidth available at the head-end office. The use of a drop amp (a.k.a. broadband amplifier) can often increase speeds for modems that suffer from frequency interference.
The upload speed of an uncapped modem varies between 50 and 250 KB/s, while the download speed varies between 350 and 1000 KB/s. The below image is shows the effect of using an uncapped cable modem to download a series of files at well over 500 KB/s. At this rate, it will only take a couple of minutes to download an entire 42-minute episode of “CSI”, whereas it would normally take close to an hour (on average).
An “uncapped” modem downloading at over 500 KB/s
Using an uncapped cable modem has many advantages, such as the ability to download a complete DVD-movie in about two hours, but it also has adverse effects. For one, operating a cable modem in an uncapped state may cause the upload and download speeds to be asymmetrical. This means that uploading and downloading files at the same time can greatly affect the overall speeds of both. One reason is because when a cable modem is transmitting data, line noise and the low-level protocol overhead are increased, which decreases the receiving speed.
Another potential effect of downloading on an uncapped cable modem is network saturation. The coax cable is shared by many individual cable modems. A CMTS can only transmit data to one modem at a time. As more requests for data are received, the CMTS may not have enough downstream bandwidth available and may be forced to drop packets which will reduce the overall download speed for all users served by this CMTS.
Pasted from <http://www.tcniso.net/Nav/Tutorials/Uncapping/>