Cable Modem Hacking Guide With Pictures Version VI Written Written By Monkeywrencher Disclaimer: THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT B UT NOT LIMITED TO, THE IMPLIED WARRANTIES ARRANT IES OF MERCHANT MERCHA NTABILITY ABILITY AND FITNESS FI TNESS FOR FO R A PARTICULAR PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. For more information, help and updates, visit http://theoryshare.com if you do not have a Surfboard Modem, or find this process is too hard for you to complete; pre-modified modems are for sale at http://theoryshare.com which include the modem pre-modified with firmware and support. Also support forums FAQs and P2P support are available. Some things to know before using this guide – Make sure you understand these: 1. This process is real and can increase the speeds you get from your cable service. 2. This guide may not work with all modems mode ms it is currently only known to work with surfboard modems but should work with others. 3. No matter how much you uncap you can c an be caught ca ught JUST AS EASILY EASILY use at your own risk. 4. Don't be disappointed if if this does not work for you certain configurations with your modem or isp may prevent you from properly p roperly performing this process. 5. I CANNOT help you you if you do NOT NOT have a Surfboard Surfboard modem. modem. 6. Finally Finally please please read through all of the documentati documentation on before asking asking me or anyone else for support thank you. 7. Every Step must be followed exactly as stated, in exact order. Deviation will result in FAILURE. There are 2 good ways w ays to Uncap the first is to use hacked hacke d firmware the second is using DHCP Force. Both methods will work on Surfboard 3100/4100/4200 cable modems but DHCP force has been reported to work on many modems despite it was designed only for Motorolas so if this doesn't work it probably can't be done with your modem.
Uncapping With Hacked Firmware FIRST THIS WILL ONLY WORK WITH SUFBOARD SB4100,SB4101, and SB4200 Modems. It will not work with any other modems. For the SB3100 you must use the Alternate method for loading firmware. IF YOU ARE ON A EURODOCSIS SYSTEM THIS PROCESS WILL WORK WITH ONL ON LY THE 3100, 4200 AND YOU WILL NEED TO FOLLOW STEP 4B. If you have trouble with this process help/support forums are a vailable at http://theoryshare.com STEP 1: Go to your modem config page http://192.168.100.1 and reset all defaults then unplug your modem from power and coax. DO NOT REBOOT YOUR MODEM only reset all defaults it will not take as long as it says.
STEP 2 : Go to network settings in control panel and change your network settings. Change your network settings to the following: IP ADDRESS: ADDRESS: 192.168.100.10 192.168 .100.10 SUBNET: SUBNET: 255.255.255.0 255.255.2 55.0 GATEWAY: 192.168.100.1 DNS: Leave blank Once finished Disable then Enable your network interface.
STEP 3: Open NetBoot and verify the boxes bo xes 'Enable FTP Server', “Reset Modem Before Booting” and “Auto IP” are checked. Now plug your modem in to POWER ONLY. ONLY. Then after about 1 minute, press boot over ove r network. Your Your modem should reset then begin b egin a power up DO NOT reset your modem this may take a minute or two. Once Netboot shows sho ws that the FTP Client has been disconnected your modem is finished net b ooting and you may go on to the next ne xt step. DO NOT CLOSE SBRIDER
PICTURES BELOW
Before Net Boot
After Successful Net Boot
STEP 4: After your modem has been net booted return to your cable modem config page
http://192.168.100.1 and go to the hack hac k tab. Scroll down to “Upgrade Firmware” Proceed to upgrade your firmware with the firmware corresponding to your ca ble modem in the Firmware folder. folder. Fiberware firmware is for advanced users only and is not recommended for general use. At this point your modem will begin upgrading DO NOT unplug your modem or change pages page s on your browser until your modem reboots this in rare cases may take up to 5 minutes. Once your modem has rebooted return to the config page and verify that the firmware has been updated by seeing if the hack tab is available. If so you may plug your modem back into coax and go on at this stage the firmware is permanently loaded and no further action is required to make it stay on the modem.
Once this upgrade is finished you may change chang e your IP back to normal and you can access the internet and the hacked firmware.
Step 4B: EURO DOCSIS WORK AROUND: -NEW If you are on a Euro Docsis D ocsis System you need to follow this step otherwise proceed to step 5. Step 1: Open a command line (Start run cmd.exe) or open your favorite telnet client. At the command line type: telnet 192.168.100.1 Step 2: Stop the scanning task, type BroadcomDebugMod e(1); and hit enter. Step 3: Create an instance of the CmApi Cm Api (which has your config in it): pCmApi=Instance__5CmApi() and then get a copy of your config: pCfg=GetCmConfig(pCmApi);
Step 4: Change the Frequency plan by running SetFreqPlanType(pCmApi,0x1); SetFreqPlanType(pCmApi,0x1); *Note, the flag at the end of this command sets the scan table: Scan Table
North America
Flag
0x0
Europe China Japan 0x1
0x2
0x3
Step 5: With the instance of your modified class, save it to the Cable mode m using this command: SetCmConfig(pCmApi,pCfg);
Step 6: Reboot the modem and go to: http://192.168.100.1/configdata.html If you did everything right (and the shell did not crash) it should be changed. chang ed. If the shell did crash, unplug the modem for 30 seconds and try it again
STEP 5: All Cable Modems use config files that control your modem’s speed, importance and a few other parameters. Each time your modem boots it automatically downloads a config file chosen by your isp. To uncap you must identify a config file which has faster speeds than the one you are currently using. The Hackware firmware that you have just loaded includes a config file sniffer under the sniffer tab. At this point the easiest route to take is to leave the modem on for a few hours then check back to see if your config list has been updated. Often config names are quite
obvious as to what speed they will give you because of their name. na me. If the config file names you have are not easy to understand you may have to try a few. If the configs do not have anything in common and there are a large number of them you are on a dynamic config system and perform a method known as mac cloning visit http://theoryshare.com for more details. If you find a config you want to try simply go back to the hack page and enter the name of the config you want to load and save the change. Reboot the modem and look at the max download/upload speed listed in the hack page this tells you how fast the config is if you do not know. know. If you have Trouble Finding Configs or Simply want to find more use the method below: Open the SNMPCfg Admin Program locate the ip address range near the bottom. Then for the first # in the range put your hfc ip address listed in the DHCP Force Application. For the second value put a address considerably higher but no to much higher. EX. 10.142.1.213 --> 10.142.255.255 is a reasonable value. 10.142.1.213 --> 255.255.255.255 is not. Play around with this application to find a range that will best suit you. After the info has been entered use the mass get function to retrieve the config names. Then press the + next to the names to get a ip address list. Put one of the addresses from each config into the step 1 program to find out which config is the fastest in many cases this is not necessary however be cause the configs are named like BANNED.cm, BRONZE.cm, GOLD.cm, PLATINUM.cm PLATINUM.cm in which case c ase knowing which is the fastest does not require a technical solution. If the configs do not list you will need to retrieve your current config an explanation ex planation for this can be found in the archive this was distributed in. After you have retrieved the config open op en it with Config Edit and locate your community string. It should be a line something like this snmp_mib_object 1.3.6.1.3.83.1.2.1.4.2 = string "YHaPLFR8"; Enter this string into SNMPCfg to find the config names. After you have found the co nfig names. You You can set you modem to download it when it boots using u sing the config boot command. If your isp uses dynamic configs (each modem gets a unique config) you will need to use the following oids Download: 1.3.6.1.2.1.10.127.1.1.3.1.5.1 or Upload: 1.3.6.1.2.1.10.127.1.1.3.1.3.1 in SNMPcfg then once you find a faster modem find its mac address and clone it. This is not difficult and there are many 3rd party programs that can help you with this. Refer to the firmware command list for all functions. Note that the SB3100 uses a different hacked firmware than the SB4XXX Series all of its functions can be accessed by going to http://192.168.100.1/tcniso.html this same firmware can be used on the SB4XXX series but it is not recommended. You can find the 4XXX images and many others here: http://thescentoflove.com/test
Alternate Update Method:
Open CMfirm for CM address go to http://192.168.100.1 and then to addresses. Use your HFC ip address. Leave community string alone for firmware server enter your public ip address. For firmware file select the correct update file for your modem this will be a
.hex.bin. If the update will not go through it is because of 1 of o f 2 things either your firmware version is higher than SB3100-3.2.15-SCM00-NOSHELL for the SB3100 or SB4200/4100-0.4.4.2-SCM01-NOSH for the 4100/4200. The other is that you must discover your read/write community string. Follow the co nfig file retrival tutorial tutorial and open the config. Inside the config look for a item like this: snmp_mib_object 1.3.6.1.3.83.1.2.1.4.2 = string "YHaPLFR8"; in this case YhaPLFR8 is the community string. Once this is done run the firmware update. If this method still does not work because you have a high firmware version like 4.4.2 4 .4.2 or 3.1.17 then use the 2 modem downgrade method you can use either 2 of your own modems or you can get a person locally on the same isp to help you. Once the new firmware is loaded on the modem you will need to tell your modem to boot a faster config file.
Uncapping using DHCP Force Step By Step 1. Find the MAC Address of your cable modem this this is usually found on a sticker on the cable modem or in the documentation which came with it. Open the DHCP force application put the modem's mac address and use the discover function. Then write down the values that are provided in the boxes. Another useful place to modem information for surfboard is the modem's web page which can be found at http://192.168.100.1 While other modems may have similar web pages I do not know how to locate them. 2. Open the SNMPCfg SNMPCfg Admin Admin Program Program locate the ip address address range near the bottom. bottom. Then for the first # in the range put your hfc ip address listed in the DHCP Force Application. For the second value put a address considerably higher but no to much higher. EX. 10.142.1.213 --> 10.142.255.255 is a reasonable value. 10.142.1.213 --> 255.255.255.255 is not. Play around with this application to find a range that will best suit you. After the info has been entered use the mass get function to retrieve the config names. Then press the + next nex t to the names to get a ip address list. Put one of the addresses from each config into the step 1 program to find out which config is the fastest in many cases this is not necessary however because the configs are named like BANNED.cm, BRONZE.cm, GOLD.cm, PLATINUM.cm PLATINUM.cm in which case knowing which is the fastest does not require a technical solution. If the configs do not list you will need to retrieve your current config an explanation for this can be found in the archive this was distributed in. After you have retrieved the config open it with Config Edit and locate your community string. Enter this string into SNMPCfg to find the config names and then later also modify this parameter in DHCP Force. 3. Open the DHCP Force Application, before you can try to uncap you must first first disable the media sense option. This can be found under the DHCP menu. Once media se nse is disabled you will most likely have to restart your computer. After your computer is restarted open the DHCP Force application again enter your modem's MAC Address and use the discover function. This time after the discover finishes change the config
file name to the name of the faster config you found using SNMPCfg admin. Click the start button in DHCP Force then reboot your cable modem. The easiest way to do this is to unplug it and then plug it back in. Wait until the modem is fully booted up then stop the DHCP Force and try to get online. Do no t reboot your modem again however howeve r because this will set your modem back to its original settings. If all went well you should be on at a faster speed now.
If you need help try the forums at my m y website http://www.theoryshare.com Also at Theoryshare you will find pre-modified modems for sale if you do not have a surfboard 4100/4200 and a flashing service if you have trouble or are unable to flash your modem. I can be contacted at: monkeywrencher@theoryshare.com My Website is http://theoryshare.com If this guide has been helpful to you please consider donating or purchasing a product from Theoryshare to help keep ke ep the website running runnin g and to make it better. A donation button is available on the website to anyone wishing to donate. Thanks for the Fibercoax Group and the TCNISO for software used in this kit. Hackware firmware written by Kuyza