Slashdot Mirror

← Back to Stories (view on slashdot.org)

RCA / Thomson Modem Hack Discovered

Posted by Hemos on from the the-joy-of-hacking dept.

An anonymous reader writes "Those un-employed modem hackers are at it again. The group known as TCNiSO has released a very interesting hardware modification for RCA / Thomson cable modems. The modification is done by grounding the bus clock on the serial EEPROM which throws the device into a diagnostic panic mode. Then by using the debug tools from the embedded console to reprogram the EEPROM, a user can permanently enable a developers menu which gives complete control of the modem, such as modifying the hardware addresses or flashing new firmware. Now if only these guys can figure out how to enable the Bluetooth features on my v710 phone..."

14 of 182 comments (clear)

  1. Note the date.. by Anonymous Coward · · Score: 5, Informative

    ..of the securityfocus story. It says "Feb 5 2004". It's nearly a year old!

  2. Re:Cue FBI raids in 5...4...3.. by garcia · · Score: 3, Informative

    Remember these cable modem tweakers that were raided by the FBI?

    Those individuals were "uncapping" their cable modems by changing their modem config file and uploading it to their modems. That could be labeled theft of service as you are effectively stealing bandwith that you didn't pay for.

    Modifying the firmware on your cable modem doesn't necessarily have to mean uncapping your modem config file and upping your possible bathwidth.

    In fact, this method is quite a bit more difficult than just editing the modem config file (as it requires a hardware interface not just a TFTP server).

  3. Re:Don't fuck around w/your modem's MAC. by garcia · · Score: 4, Informative

    So? You can do that w/o a hardware hack using a TFTP server and a text editor. Most cable ISPs already scan their networks for modified cable modem config files and disable them for ToS violations.

  4. Re:Don't fuck around w/your modem's MAC. by afidel · · Score: 3, Informative

    MAC addresses are stripped at the first hop so unless someone is specifically looking for you and has a valid search warant I wouldn't be too worried about your MAC address.

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  5. Re:Don't fuck around w/your modem's MAC. by spitefulcrow · · Score: 2, Informative

    On embedded devices like cable modems it's a bit harder to do but the MAC is always changeable. Most home routers now offer "MAC cloning" so that it looks like you have the original PC that you set up the service with connected to the cable modem still while you can share the connection over the router. And it's trivially easy to change the MAC address of a NIC in Linux and probably most other *nix systems. "ifconfig [iface] hw [class] [address]"

    --
    Sorry, my karma just ran over your dogma.
  6. Re:spoofing? by Anonymous Coward · · Score: 1, Informative

    Most Cable ISP's also log the CPE mac(ethernet mac), so they would see the change when looking for the person who committed the crime... I know, I am one of those people who work for a Cable MSO searching for people who commit crimes.

  7. Re:Great way to lose your service. by papasui · · Score: 3, Informative

    ARP

  8. Re:Great way to lose your service. by Sc00ter · · Score: 3, Informative
    via SNMP and the arp table of the modem. The cable provider still has access to the modem via SNMP.

    --
    Free Mac Mini
  9. Motorola V710 phone hack here by scattol · · Score: 4, Informative

    There are instructions on this web site on how to modify your v710 phone to turn on all the bluetooth functionality. You need to register though. Don't know if they work, I haven't tried them so you are on your own.

    If they work, let us know.

    1. Re:Motorola V710 phone hack here by Anonymous Coward · · Score: 3, Informative

      I registed a fake user and posted it on bugmenot.com:

      user: userboy
      pass: pants1

  10. Re:Dangerous, and probably illegal. by papasui · · Score: 3, Informative

    In a two way system yes both a forward and return path are provided completely through the cable provider. In a 1 way system the return path is provided through the phone, Motorola's Surfboard 2100D has a CAT3 connector on it for this purpose. I'll bet that there is still a few of these in the US.

  11. Re:Question by SCPRedMage · · Score: 2, Informative

    Allow me to spell it out for you: Digital Millennium COPYRIGHT Act. It covers bypassing COPYRIGHT protection measures. Uncapping your modem is NOT bypassing a COPYRIGHT protection measure (although it IS still illegal).

    --
    My sig can beat up your sig.
  12. Re:Don't fuck around w/your modem's MAC. by DigiShaman · · Score: 2, Informative

    If it's your modem, you can do anything you want with it...as long as you do not hack the BIN files that your ISP uploads to the modem (they are stored in RAM, don't worry). The moment you reprogram those config files or anything else that would circumvent the Terms Of Service Agree or Coxs network, expect your account to be disabled.

    --
    Life is not for the lazy.
  13. Re:Cue FBI raids in 5...4...3.. by BRTB · · Score: 2, Informative

    I wouldn't mess with the speed, as I'm sure the second somebody starts blasting 10mbit uploads down the cablenet, somebody on the UBR end will pick it up. I'd be happy with re-enabling the read-only 'public' SNMP on the local IP address of the cable modem... it was really nice pointing MRTG at 192.168.100.1 and reading the transferred-bytes numbers straight out of the modem interface, to say nothing of the signal strength and other genuinely useful info you can read with docsdiag.