Slashdot Mirror

← Back to Stories (view on slashdot.org)

RCA / Thomson Modem Hack Discovered

Posted by Hemos on from the the-joy-of-hacking dept.

An anonymous reader writes "Those un-employed modem hackers are at it again. The group known as TCNiSO has released a very interesting hardware modification for RCA / Thomson cable modems. The modification is done by grounding the bus clock on the serial EEPROM which throws the device into a diagnostic panic mode. Then by using the debug tools from the embedded console to reprogram the EEPROM, a user can permanently enable a developers menu which gives complete control of the modem, such as modifying the hardware addresses or flashing new firmware. Now if only these guys can figure out how to enable the Bluetooth features on my v710 phone..."

20 of 182 comments (clear)

  1. Don't fuck around w/your modem's MAC. by garcia · · Score: 5, Interesting

    Just remember that some cable ISPs use modem MAC authentication and changing your MAC address could possibly disable your access to the Internet. Some cable ISPs use "bottom-up" provisioning which allows you to re-register your modem's MAC address and tie it to your account (useful if you buy your own modem) but others could still be using manual provisioning which could cause delays in regaining block-sync.

    Personally, don't fuck around w/your cable modem. It works just fine the way it is. Hacks are a wonderful educational/mental exercise but I wouldn't exactly be trying this if you don't want to lose connectivity to your ISP.

    1. Re:Don't fuck around w/your modem's MAC. by asliarun · · Score: 2, Interesting

      Good point. However, one could easily make a note of the original MAC address, and change it back to the original, if it causes a problem.

      On the topic of MAC addresses, i'm not sure if enough people treat it as a privacy issue. AFAIK, MAC addresses are globally unique, thus uniquely identifying an individual user. Even IP addresses are sometimes dynamic (depending on the ISP), and can be "masked" by using a suitable proxy. MAC, OTOH, is almost like a digital fingerprint.

      Does anyone else share the same concern? Or am i missing something here??

    2. Re:Don't fuck around w/your modem's MAC. by nolife · · Score: 1, Interesting

      Some cable ISPs use "bottom-up" provisioning which allows you to re-register your modem's MAC address and tie it to your account

      Or allow you to access the internet with someone elses credentials. I am not familiar with how a cable internet system works and I doubt you could get lucky enough to guess someone elses MAC but wouldn't the other CM's in your area or "node" have their MAC flying around the wire and ripe for capture? At least the initial requests looking for the routers and DHCP server.

      --
      Bad boys rape our young girls but Violet gives willingly.
    3. Re:Don't fuck around w/your modem's MAC. by Sc00ter · · Score: 3, Interesting
      You could hack the bootp config file and get faster upload/download speeds.

      --
      Free Mac Mini
    4. Re:Don't fuck around w/your modem's MAC. by Anonymous Coward · · Score: 1, Interesting

      Hackers use this to their advantage by chageing their MAC to one thats allready authed on the network. Then its just like having service that you pay for... only you dont.

    5. Re:Don't fuck around w/your modem's MAC. by DigiShaman · · Score: 4, Interesting

      As a Time Warner employee for the Austin TX area, our cable modems (regardless of brand, be it 3com, Ambit, Toshiba...etc) have a 10.x.x.x IP address that is not accessable to the public. Only if you have direct access to the CMTS system can you upload new BIN configuration files to these modems on the fly. If you make any changes to the modem by chance and uncap your modem, some fuzzy-logic software will check the checksum of the bin files on that modem (so I've been told by the abuse department). If that bin file has been modified or the firmware flashed to something other than what its supposed to have; expect your account to be disabled.

      Chances are at this point, there will be no nogotiation. If so, you will have to find another ISP as we do not tollorate what-so-ever of people uncapping their modems. And believe me, we have quite a nice tech-savy population in Austin that DO try to get away with it.

      --
      Life is not for the lazy.
    6. Re:Don't fuck around w/your modem's MAC. by AndroidCat · · Score: 2, Interesting
      Only if you have direct access to the CMTS system can you upload new BIN configuration files to these modems on the fly.

      It's a good thing that spoofing a CMTS system to the modem and giving it new BIN files, and then the new software lying to checksum/CRC tests is a tricky operation. But don't assume that it's impossible.

      --
      One line blog. I hear that they're called Twitters now.
  2. How long... by KennyP · · Score: 2, Interesting

    Until they are discovered and those modified cable modems are de-serviced?

    Kenny P.
    Visualize Whirled P.'s

  3. Cue FBI raids in 5...4...3.. by EvilStein · · Score: 5, Interesting

    Remember these cable modem tweakers that were raided by the FBI?

  4. Question by MisanthropicProgram · · Score: 3, Interesting

    Could these guys get arrested or sued under the DMCA?

    1. Re:Question by walt-sjc · · Score: 2, Interesting

      He's probably confused. It's amazing how many people I talk to that say they have DSL that actually have cable modems.

  5. I was wondering. by FreeLinux · · Score: 2, Interesting

    I was wondering about this. It seems, to me, that this hack will render your modem useless on the cable network. What's the advantage of that?

    Changing tha MAC address will effectively cut off service to your modem. Being able to update the firmware sounds nifty but, do you have new firmware that you need to install? Is there some service that you need so badly, on a cable modem, that you would spend your time writing new firmware for it?

    I just don't see the advantage to this hack. I can see the advantage of previous hacks to uncap a modem but, even those hacks put you at risk of having your service terminated or worse, criminal charges being brought against you.

  6. spoofing? by Anonymous Coward · · Score: 1, Interesting

    I wonder how long it will be until people spoof other people's cable modem hardware addresses to 'steal' their access...

  7. great for deniability in court by Anonymous Coward · · Score: 3, Interesting

    MAC address/IP are often used in court. Things get interesting when people can change or spoof these things.

  8. Explain this to me, please? by khrtt · · Score: 2, Interesting

    The only way you can possibly benefit from this is to uncap the modem, which is about as kosher as petty shoplifting. And you wouldn't need to reflash the modem for it anyways.

    So, if you are not uncapping it, then what's the point? It's not like you are going to add any badly missed features, or make a linux print server out of it. Maybe it's just my lack of imagination, but I just don't see any practical uses for a hacked cable modem. I mean, other than getting the inner satisfaction from proving that you are actually able to read and flash the EEPROM:-). But then, you could just use a screwdriver and an EEPROM programmer...

  9. Uncapping? No... by telemonster · · Score: 2, Interesting

    Uncapping of the rate? No. Promiscuous mode is where the terror begins! Sniffing the traffic on the segment is where the real press will begin.

    --
    Southeastern Virginia REPRESENT!
  10. What about the more legit uses? by anthony_dipierro · · Score: 5, Interesting

    Everyone is talking about how this is a bad thing to do on someone else's network, but what about on your own network? Is it possible to get two cable modems to talk to each other over a coax cable? Can you hack the things to run distributed.net software? There are an awful lot of people out there with cable modems but no cable modem service.

  11. Back in the day... by danuary · · Score: 5, Interesting
    I worked for a startup cablemodem ISP. This was the mid-90's, before DOCSIS; we used proprietary equipment.

    We discovered and hounded the vendor relentlessly about the fact that the modems had a serial port for dial-upstream service. If you jumped a couple pins on the serial port, reset the modem, and plugged in a serial line 9600/8/n/1 you'd get the modem's diagnostics (password protected, albeit with a very weak password).

    The things you could do from the diag screen were downright scary. All this and more. You could determine the downstream and upstream freqs; you could also set the modem to transmit on any upstream frequecncy at any level up to 60dB. We played around with it for a bit. We set up a test modem and had it transmit for a second at 60dB on one of our upstream freqs; it took out ~400 users' service for about a half hour. Had we done it on the PPV freqs, it would have taken out PPV for a few thousand people. Fun stuff.

    And to my knowlege, they never fixed it.

    1. Re:Back in the day... by Anonymous Coward · · Score: 1, Interesting

      I too worked inside the cable company for a while, and in my first month they were in the process of rolling out the docsis in full swing. I showed my boss this artical, http://www.theregister.co.uk/2004/02/05/cable_mode m_hackers_conquer/
      , the look on her face was priceless. HAHA

  12. Re:Great way to lose your service. by papasui · · Score: 2, Interesting

    He was pushing his own copy of our cm file from his tftp server. He was changing his mac address to avoid being tracked but neglected to change his nic's mac. The rest was just a bit of investigating work. We know what areas combine to what on our network and we tools that match customer info back to the live mac addresses on the system. After that there was only a handful of people that it possibly could be.