On Tue, Mar 12, 2002 at 06:59:36PM -0500, Rob Koliha wrote: > This is quite an old issue.. There are half written documents on how to do it everywhere ;) > In most of the howtos I've seen a step or two is missing.. It won't work on a lot of the modems out there, I know it will work with motorola but it doesn't work on most toshiba and com21's. > Basically since the ethernet interface comes up before the rf interface, when you ping it your exploiting an arp table bug and fooling the modem into thinking that the tftp server lies on the wrong interface. This can be circumvented a few different ways.. Doing it with a packetshaper would be pretty expensive since you could possibly need thousands of flows (and you only get so many flows with each model) and packetshapers are not cheep. The best way to get around it is setting up the shared password stuff on the cmts (results in a little higher load, but prevents theft of service). A plaintext password or key is encoded into the .bin file that is downloaded and the cmts checks the key that the modem has before allowing it to go online. I know for a fact the docsis config decoder/encoder won't really decode the passphrase.. There may be other apps out there (or in the works) that will. More and more cable isp's will enable this as time goes on and hopefully the hardware manuf! > acturers have fixes in place or in the works.. Firmware upgrades are done from the provider side, meaning it would be quite easy for affected modems to be fixed with a new release. It would be a little bit of a pain to prevent your modem from being patched. There are also QoS (quality of service) tables on each router (uBR) which your isp monitors.. If you push your modem higher than a speed level that your isp sells you stick out like a sore thumb. Once they find that you've hacked it you will either get one warning or they will disconnect you and refuse to serve you. If you have no other broadband alternatives it could really suck. It would also be bad if you enjoy vod and other 2 way cable services (as they could just as easily refuse data and tv both and cut/put a trap on your lines). Performing the hack could also probably land you in just as much hot water as the theft of tv services. > I wanted to reply to a few points: I haven't exactly tested it on a wide variety, as for Toshiba I know the PCX1100U is vulnerable Preventing the firmware upgrade, or downgrading the firmware, is trivial (docsDevSwAdminStatus -> ignoreProvisioningUpgrade) ISP's go through the trouble of QoS tables, yet they can't figure out BGP? The incompetence amazes me. > Rob Koliha > Charter Communications / Charter Pipeline > Hickory, NC > >
This archive was generated by hypermail 2b30 : Wed Mar 13 2002 - 09:27:54 PST