The term EtherBoot is often used to describe the process of temporarily booting firmware into a cable modem via Ethernet. The main purpose of going this it to change firmware of the device or to install a third party modification, such as SIGMA.
The process works as follows: you use a special cable known as a RS232 to TTL converter (also known as a console cable) to connect the serial port of your computer (DB9) to the clandestine console port inside your cable modem. Then you must use and install a console emulator program to communicate with your cable modem. Finally, you can halt the boot-up process of your cable modem and have it download firmware into RAM from a local TFTP server running on your computer.
This tutorial is ideal when hacking the following Surfboard cable modems: SB3100, SB4100, SB4101, and SB4200.
Step 1: Download the Software
To get started you need to have the proper software. The easiest way is to use the program EtherBoot which automatically does everything for you, however this software is only available to members of this website. Otherwise, you can use the free version of HyperTerminal (which comes preinstalled in all Windows based operating systems), FIP, the Fireball Boot Server, TFTPD and ELF32, which can be freely downloaded from our software section.
Step 2: Prepare the Firmware
The purpose of this step is to take a firmware file (such as one downloaded from here) and convert it into a format that is bootable. If you are going to be using EtherBoot, you can just skip this step because EtherBoot will automatically boot any compatible firmware.
Take your firmware image and decompress it using FIP. Then take the decompressed image and convert it into ELF using ELF32.exe. Finally, rename this file to vxWorks.st.
Step 3: Gathering the Hardware
You will need the following hardware: A T-10 screwdriver (to open your modem case), a soldering iron, solder (rosin core), and most importantly a RS232 to TTL converter cable. We have a professional cable available for sale in our shop (shown below), however if you want to spend more money building your own, you can do so by following this tutorial.
RS232 v2 from TCNISO
Step 4: Connect the console cable into your modem
Using a soldering iron, you need to solder the 4 wires of your console cable into the console port of your cable modem. If you had purchased the RS232 v2 board from us, you can just solder the enclosed 4-pin header into the port and connect the pin jumpers from it onto the board.
A RS232 to TTL converter has four connections: V (Voltage), G (Ground), R (Receive), and T (Transmit). You need to connect four wires from these connections to the four points shown below. For a larger image, just click on the picture.
 |  |  |
| SB4100 | SB4101 | SB4200 |
Step 5: Halt the Boot Process
With the console cable connected properly to your cable modem and your Ethernet cable connected directly to the Ethernet port of your cable modem (do not use a router), start your console emulation software. If you are using EtherBoot, all you have to do is go to the Options tab and select which cable modem model you are using and select the firmware file you want to boot. However, if you are instead using HyperTerminal, connect using COM1, with a baud rate of: 9600 bps for SB3100 or 38400 bps for SB4100/SB4200, data bits 8, parity none, stop bits 1, and flow control none.
Now plug in the power of your cable modem which should cause the console window of the program you are using to fill up with boot-up information. If you are using EtherBoot, the boot process will automatically be halted. But if your using HyperTerminal, you need to wait until it says "Press any key to stop auto-boot..." and then immediately press any key on your keyboard.
At this point, you should have a console prompt that is similar to: "[SB4200 Boot]:". This also indicates that your console connection to your cable modem is working perfectly.
Step 6: Boot Firmware
For users using Etherboot, this step is easy; just press the "Boot From Ethernet" button. However, if you are using HyperTerminal you must start the TFTPD software with your firmware file (vxWorks.st) in the base directory. Now, you must type out the new boot string to tell the cable modem to connect to your TFTP server. To do this, type:
2 enetBcm(0,0)admin:vxWorks.st e=192.168.100.1 h=
Where
Finally...
With the ability to boot firmware into memory you can further hack the modem. One method is to boot a firmware loaded with SIGMA and then use the SIGMA interface to change firmware permanently using a copy of itself. Another method is to use to boot an older DOCSIS 1.0 firmware into memory and then use the software Open Sesame to change firmware.
If you are still having problems with this tutorial, just watch the official TCNISO video #1 (showing how to solder a home-made cable into a modem) or TCNISO video #4 (showing how to install the RS232 v2 board) from our Video Section.
Copyright 2006 TCNiSO Corporation - Managed and Designed by DerEngel - All content used with permission. |
