Cable Modem Hackers Release Improved Firmware

FatCat writes "SecurityFocus has a story about a group of hardware and software hobbyists specializing in embeddded systems who've released their own custom firmware for Motorola Surfboard cable modems. The firmware lets you log in to an interactive VxWorks shell, or issue commands from a Web browser through an http interface. You load it by tapping an undocumented console serial port on the circuit board. So far, uncappers are apparently the primary consumers, and they're downloading up to 400 copies a day."

My Opinion

[TheRealMindChild]

Ok, while I HATE the fact that my cable is capped, and now I have some invisible limit to my cable modem, there isn't a court in the land that will side with me, blatently breaking a few laws, and ignoring the TOS that was agreed to.

Im just going to sit back for a while and hope something good comes of this... maybe cable providers will find that fighting with these people isnt worth the hassle.

dropped carrier

[sinucus]

I'll have to say that with all the draconian rules being put in place with cable providers that I don't see this as being a new playground for crackers. You'll likely get dropped quicker than you can refresh the BIOS on that cable modem of yours. With DOCSIS compliant cable modems you'll be sure to know that the cable modem company DOES know what you're doing with it.

VxWorks?

[Quasar1999]

It ain't free like linux is... so not only are they violating their AUP from their service provider, these guys are using software that they didn't pay for? WindRiver is gonna be pissed!

What will the companies do?

[toasted_calamari]

I have heard stories of cable companies coming down *extremely* hard on uncappers, doing things like banning them from having cable service for life and other such actions.

Given this, and the actions of DirectTV towards those who buy smartcards, I wonder what the cable companies will do.

Will they ignore those who download these firmwares for the advanced features like the remote terminals and have no intention of uncapping, or will they treat everyone who re-flashes their firmware as a "criminal".

Very neat

[BenDalton]

now if someone could do this for my cable modem. Although, I have to wonder how many people will use this to uncap their cable modem only to get in trouble by their provider. In this society, i wonder how long until the developers get sued by the people installing it on their cable modems because they got prosecuted by their provider? Sigh... what a nice little circle

Increasing Speed

[vpscolo]

Of course you can always setup a compressed SSH tunnel to speed up the text part of web browsing. I've found you get get upto 400% increases which is nice :)

rus

Monopoly

[lukewarmfusion]

In my area, Comcast is the ONLY option (outside of extremely expensive satellite alternatives). If they want to shut you off, they can. Then, you're screwed. I try not to do anything that will get me in trouble with them. Losing my cable, internet, etc. would be far worse than the tyranny of having my cable modem capped or my speed tiered. The problem is that they know this as well. That's why they can and do take these steps. My solution was the same one that Utah and others were going to do - city/state run broadband. It'd be just another utility and they could certainly offer it cheaper than Comcast. Plus, with the profits going back to the city or state, it would probably help lower/cut taxes. It's probably a simplistic view, and I realize that there are issues with letting the government control your internet access, but it would probably benefit the consumer much more than letting a monopolistic cable company charge $45 for crappy television and $45 more for internet access that goes down for "unscheduled maintenance."

Content filtering on outoging packets?

[G4from128k]

It would be nice if these enhanced firmware systems provided some level of content filtering on outgoign packets. A simple test would see if key passwords, financial account numbers, or a honeypot file name were in any outgoign packets. If so, the modded device would kill the outgoing packet and log the destination.

Is it "bad netizenship"?

[djeaux]

Leaving aside the Sir Edmund Hillary rationale for hacking anything ("Because it was there") which is probably the #1 reason for any slashdottoid to crack out the soldering iron anyway, I have to wonder if this would be like circumventing any other speed limit. Aren't roadway speed limits set partly for safety & partly to control traffic?

If everybody "uncapped", would the result be enough net congestion that everyone would wind up getting "capped" speeds again? Is this a netizenship question?

As far as the ISP detecting "uncapped" cable modems, which has already been mentioned on this topic, I'd have to offer that my local cable provider employs so many utterly inept techs that they have trouble detecting when someone hooks up an unauthorized line to the pole, much less a change in the modem itself. That's why I've stuck with DSL -- 2 years with zero downtime, including a hurricane, while my cable service is down 3-4 times a week.

Re:My Opinion

[smellystudent]

"Uncapping" a modem refers simply to removing a speed limit implemented in the modem. It cannot remove speed limits imposed upstream, or monthly download limits. In fact, you'll just speed towards those limits even quicker!

Sniffing

[Quill_28]

So cable modem lines are shared.

If you got a shell from the modem, could you then sniff the traffic?

Just curious.

Re:confused

[aonaran]

It's because the higher voltage required to push it to 56k would cause enough crosstalk to interfere with neighboring voice lines which is what the telephone system is supposed to be used for.

Re:Hmm...

[hattmoward]

The thing is, within a few blocks of you, cable modems are pretty much all working on the same piece of wire. There is a good amount of bandwidth to share out there (sorry, I don't remember, but it's A LOT), but if you use a transparent proxy, it's still possible to saturate the local segment and irritate other users. A solution using a bandwidth arbitrator for routing to users may work, but if all the cable modems run in full-speed mode, you get bursty connections while each modem waits its turn to go full-saturation. Unfortunately, uncappers don't realize that they're potentially screwing over someone else. I think that's the big beef that the ISPs have... They already planned for a high potential bandwidth, it's just that when you go from 1.5 to 3 Mbps, you're giving yourself a bigger timeslice on the wire. Other than that, DOCSIS (in its most common configuration) is a very Big Brother-ish protocol, and your ISP will know what you're doing the minute you do it... unless they're a bunch of monkeys with wire (read: Comcast).

Re:Hmm...

[tazanator]

Well this is comcast.. My tcpdump shows ARP traffic on my cable modem from 4 different class B subnets(XX.XX.xx.xx), and even 2 class A subnets (XX.xx.xx.xx) I could understand a class C subnet(XX.XX.XX.xx) but not traffic in class A corporate down at end user. I'm in Indiana and seeing customers in California reply to ARP's... wasted bandwidth. With this much ARP traffic allowed thru the routers it's no wonder they are short bandwidth and kicking bandwidth hogs. Comcast has great speed but at very high cost (about $60 in my area) and the limits and additional overhead they build into the network it's no wonder the people hate them. If I can wean my 10 year old daughter from the TV I will cut the cord and go to DSL (I want to run a game server anyways and DSL is only $30 out here). I am not surprised people uncap and reconfig the cable modem ... they do it to phones (voicemail, speaker phones, heck the ham's started long distance connecting the ham radio to a phone to get longer distance with out the bill), why should the inovative spirit stop at the cable company?

How to handle uncappers fairly?

[lordmoose]

Okay, I work for a cable ISP. We don't want to send jack-booted thugs to shake down some 13 year-old kid who's just hacking to see what happens (I've been down that road myself). What is the best way to handle someone who uncaps their modem?

I'm not the SysAdmin, just a concerned employee.

Not just uncapping

[Anonymous Coward]

I'm primarily interested in this as I occasionally get problems with the intercepting http proxy on my cable modem and would like to disable it.

Re:Loss of service

[Delf]

It's pretty straightforward. In exchange for being allowed to attach to their network, you agreed to use only certain (i.e. unmodified) equipment, and to allow them to access that equipment in order to ensure that it operates properly on their network (i.e. within the parameters they've decided to enforce.) It's not anything like trespassing on their part -- you gave them permission to do it when you signed up for the service.

Aside to Michael and FatCat: It's spelled "hobbyist".

Re:This shouldn't even be possible

[jchawk]

Just on a side note for more info. . .

That's what is so cool about the DSL world, everything happens on that DSLAM, so the telco has control over your speeds.

Let's say you upgrade to a faster speed... Well remotely push an update to the port card you tie into that's in the DSLAM, then push an update to the modem and bam... You speed is upgraded.

The coolest thing to do is queue up a large download on the users PC, then push the updates to the modem and the DSLAM and you can actually see the speed increase. :-)

Then you can even remotely tweak the line that the DSL is running on... Not getting full speed that you are rated at? No problem just bump the voltage on the line a little bit and normally the problems is fixed. :-)

I work for a cable ISP...

[strAtEdgE]

... and I can tell you that this wouldn't work on our service. Nor almost any cable service. You would get cut off within the day you started to exceed your bandwidth cap.

As for the question "why is the bandwidth capping happening at the cable modem?", I beleive the answer is that it has to so that the CMTS bandwidth (the bandwidth on the cable plant between the modem and the cable router) is not used up. But that's not to say that the bandwidth you use at the cable router end isn't closely monitored. Hence why you will get shut off in no time flat when you start to exceed your provisioned bandwidth.

They got too much attention...

[babymac]

Their site was pulled completely just moments after this story was posted:

http://www.tcniso.net/

Screw uncapping, I just want my diagnostics back.

[Resaurtus]

Cox locks us out of the SNMP interface on our own modems. Now I understand taking away write privs but I feel I should have the right to see exactly how my modem is configured. Little things, like exactly what is my cap set at? Is it seeing errors? Whats my power level and SNR?

As I own that hardware, I feel I have a right to see how well it's working. Many issues (Like signal loss) would likely be within my own home and something I could fix. This software would probably let me read this information, however, as I don't own one of the modable products I'll probably look for one with all the info I want on a web page rather than getting a hackable one.

Re:I work for a cable ISP...

[drcobb]

If your employer is like most, your checks could easily be circumvented by frequently resetting the SNMP counters on the modem. Most providers only check the CPE snmp counters rather than running any sort of IP accounting on their end for speed/lazyness. In one instance I know of a provider that bitches if you transfer more than 1gig a day. I'm not sure about this firmware, but this problem was solved for a 'friend' by using an APC masterswitch and a cronjob resetting the modem 10 min before every time the snmp counters were polled by the ISP. I'm not sure of vxworks but several other firmwares for other vendor devices allow you to clear snmp counters on the fly...

Re:My Opinion

[BiggerIsBetter]

That goes both ways right? If they get upset about uncapping, just say you changed the terms.

You forgot the second half of that

[BLKMGK]

256K UP. Frankly I'd like a little more upside bandwidth. I would LOVE to be able to setup a small FPS gaming server but the low bandwidth going up prevents many of the interesting games from being played. I have IDSL also because my cable company won't allow hosting of content either - that sux. IDSL is only 144K and while it can do some VOIP stuff it's not enough for FPS games either. I would GLADLY pay extra for the bandwidth I desire but COMCAST says no such plans exist...

Re:so the question becomes

[BLKMGK]

Actually to me th question becomes - what can it do OTHER than uncapping? Are there any legit uses for this? The article mentions the possibility of firewall and NAT but that's not yet done. What else does it do NOW?

Re:My Opinion

[xstein]

While hoping not to stray too off-topic, I've had a small experience with Sprint PCS quite recently.

As an extremely dissatisfied Sprint PCS customer (service was terrible in my area) I was looking for any way to break free from my contract, which I was unable to do a number of months without paying a $150 cancellation fee.

Upon receiving a notice from Sprint PCS that they would start charging for the previously free-of-charge service that allowed you to check your airtime usage from your phone, I called them and asked that my contract be terminated immediately as these were not the terms I had agreed to at the time I signed the contract. They offered me a better deal in an attempt to convince me stay with their service, which I declined, and happily closed my accout.

I advised my friends who were also hoping to leave their Sprint PCS contracts to do the same when they started charging a "Number Portability Tax" (this too before it was implemented), and they encountered similar success.

IANAL, but it seems to me that should you wish to terminate your contract when they change the terms you have a very firm legal ground to stand on. Whether or not they can terminate the contract when they change the terms, however, is another story.

Re:Hmm...

[ryanwright]

It is simply not possible to design a game that has all sensitive computation being done on the server.

What does a game need to send to the server?

- Character data (who you are, what you're saying)
- Positioning data (where you're at)
- Action data (spells you're casting, etc)
- Item data

The latter is where problem start: People can hack an item to give them whatever power they want. Then the client says "I'm doing 1,000 points of damage with my bare hands" and the server just eats it right up. There's no reason why this data cannot be checked! When I attack, the conversation should be:

Client: Attacking Hog Troll 125421 for 850 points of damage.
Server: OK, you're holding no weapons and wearing no armor. I know this because the last time you modified the items on your character, the client sent the data to me. The max damage you can do with your current outfit is 5, so I don't know what you're smoking. Request denied.

Re:Hmm...

[Eraser_]

ARP traffic coming out of california is an obvious mis-configuration, however seeing the various classes of addresses is not. IIRC cable comapnies were given the class A "24" to play with as they chose. When you get a DHCP lease in the 24 network, it should be chopped up by a subnet mask (like, 255.255.255.0) which turns it into 255^2 class C net blocks.

Your analogy to the phone system is flawed though. Speakerphone, answering machines (voicemail), people talking over HAM radio instead of picking up the phone all involve nothing which harms the Telco, or your neighbors. When you sign up for service, you agree that you will buy 1.5m/256k for $60/month. When you uncap your modem, you now use much much more than that, but at the same price. I would go after you as well.

If I generated electricity in my back yard with buttered toast and a cat, and then agreed to sell you a kilo-watt of energy every hour, hooked you up to a transformer which would only provide that much juice, and you came in and recalibrated it to give you two kilowatts per hour, I would either bill you twice as much, or cut you off. The only difference there is I'm not "the big bad cable company" nor THE MAN.

Plus, why not ditch your $60/month internet, and go with $30/month DSL, anyways? OR did that $60 include some form of CATV watching as well? I bet you want free HBO as well, since it's just a config in the box restricting you. It's just the lock on my door keeping you out of my house. I'll hit you with a baseball bat if you break it, though.