Re: 3Com cable modems / Mediaone

From: Joseph W. Breu (breuat_private)
Date: Mon Nov 29 1999 - 12:28:34 PST

Next message: Chris Calabrese: "Re: Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow"

Previous message: George: "NTmail and VRFY"
Maybe in reply to: Luis Henriques: "3Com cable modems / Mediaone"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 27 Nov 1999, Signal 11 wrote:

> and it took some digging to uncover this "feature".  The cable-
> modem can also be reprogrammed via a serial port in back,
> although my attempts to access it have proven futile.

The serial port is 8N1 w/ baud rate of 38400.  Try a null or straight
serial connection.  I cannot remember which one is which.  The 3com CMX
has a read only serial console.  Modems like the ubr900 series (904 and
924) contain read/write consoles (but passwords may be set).  If you
purchase the modem from a vendor (not your ISP), then there are not any
passwords.  If you get it from your ISP (and they are worth their salt),
it will come with a password on it.  Our modems are included in the
monthly charge, so we still own them and protect them with passwords.

> I am also very curious to find out how to telnet into this thing,
> as there are references to it being "password protected"
> to prevent intruders.  Somehow I rather doubt mine was

These modems do not have the ability to be telnet'd to.  If you try, it
returns a "protocol not accepted" error.

The update is accomplished via the CMTS configuration file.  There is a
field in the config file for an "Update Available" that includes the
filename and tftp server of the update.  So, if you can fake out a modem
with a rougue DHCP server and provide your own configuration files, then
you might possible be able to upload rougue code to the modem.

> Can firmware be uploaded by anyone?  How does the modem
> authenticate the head-end system?  Does anyone have any
> information on how to reprogram this modem?

The modem authenticates the headend through the negotiation phase of the
boot process of the modem.  The modem scans the downstream frequency
channel (usually >450mhz) until it finds a 6mhz wide QAM (256 or
64) signature.  Encoded within the QAM modulation is the information for
the upstream channels (channel ID, freq, freq width, etc).  The modem then
ranges with the CMTS to configure the power level.  Once the modem is
ranges, it goes through a DHCP/TFTP sequence.  The modem then downloads
its configuration options from a file stored on a TFTP server.

--
	Thanks,
	-Joseph W. Breu

---------------------------------------------------------------------
Joseph W. Breu       Linux/UNIX Administrator / Cedar Falls Utilities
phone: (319) 268-5228        Utility Parkway, Cedar Falls, Iowa 50613
pager: (319) 235-4209  NIC: jwb96   breuat_private   breu.pagerat_private
--------------- Where do you want to go tomorrow? -------------------

Next message: Chris Calabrese: "Re: Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow"
Previous message: George: "NTmail and VRFY"
Maybe in reply to: Luis Henriques: "3Com cable modems / Mediaone"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:14:55 PDT