Slashdot Mirror

← Back to Stories (view on slashdot.org)

RCA / Thomson Modem Hack Discovered

Posted by Hemos on from the the-joy-of-hacking dept.

An anonymous reader writes "Those un-employed modem hackers are at it again. The group known as TCNiSO has released a very interesting hardware modification for RCA / Thomson cable modems. The modification is done by grounding the bus clock on the serial EEPROM which throws the device into a diagnostic panic mode. Then by using the debug tools from the embedded console to reprogram the EEPROM, a user can permanently enable a developers menu which gives complete control of the modem, such as modifying the hardware addresses or flashing new firmware. Now if only these guys can figure out how to enable the Bluetooth features on my v710 phone..."

47 of 182 comments (clear)

  1. Don't fuck around w/your modem's MAC. by garcia · · Score: 5, Interesting

    Just remember that some cable ISPs use modem MAC authentication and changing your MAC address could possibly disable your access to the Internet. Some cable ISPs use "bottom-up" provisioning which allows you to re-register your modem's MAC address and tie it to your account (useful if you buy your own modem) but others could still be using manual provisioning which could cause delays in regaining block-sync.

    Personally, don't fuck around w/your cable modem. It works just fine the way it is. Hacks are a wonderful educational/mental exercise but I wouldn't exactly be trying this if you don't want to lose connectivity to your ISP.

    1. Re:Don't fuck around w/your modem's MAC. by Saxton · · Score: 4, Insightful

      That, and is there any real functionality you are able to get from this hack? Didn't seem like it. I am guessing for 95% of the people that do it are going to follow the directions, say "yay I did it" and then forget all about it other than being able to tell their friends that they owned their own cable modem.

      *yawn*

      -Aaron

      --
      My name is Aaron Landry, and I approve this message.
    2. Re:Don't fuck around w/your modem's MAC. by asliarun · · Score: 2, Interesting

      Good point. However, one could easily make a note of the original MAC address, and change it back to the original, if it causes a problem.

      On the topic of MAC addresses, i'm not sure if enough people treat it as a privacy issue. AFAIK, MAC addresses are globally unique, thus uniquely identifying an individual user. Even IP addresses are sometimes dynamic (depending on the ISP), and can be "masked" by using a suitable proxy. MAC, OTOH, is almost like a digital fingerprint.

      Does anyone else share the same concern? Or am i missing something here??

    3. Re:Don't fuck around w/your modem's MAC. by Sc00ter · · Score: 3, Interesting
      You could hack the bootp config file and get faster upload/download speeds.

      --
      Free Mac Mini
    4. Re:Don't fuck around w/your modem's MAC. by garcia · · Score: 4, Informative

      So? You can do that w/o a hardware hack using a TFTP server and a text editor. Most cable ISPs already scan their networks for modified cable modem config files and disable them for ToS violations.

    5. Re:Don't fuck around w/your modem's MAC. by Jeff+DeMaagd · · Score: 3, Insightful

      Uncapping or raising your cap is likely in violation of your contract and grounds for termination. Basically if you did this, you could be charged with theft of service.

    6. Re:Don't fuck around w/your modem's MAC. by Sc00ter · · Score: 3, Insightful
      Some versions of the firmware won't allow bootp files to be recived from the ethernet interface. This hack lets you change the firmware to a version that does allow it. So it may still be a required step.

      --
      Free Mac Mini
    7. Re:Don't fuck around w/your modem's MAC. by afidel · · Score: 3, Informative

      MAC addresses are stripped at the first hop so unless someone is specifically looking for you and has a valid search warant I wouldn't be too worried about your MAC address.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    8. Re:Don't fuck around w/your modem's MAC. by spitefulcrow · · Score: 2, Informative

      On embedded devices like cable modems it's a bit harder to do but the MAC is always changeable. Most home routers now offer "MAC cloning" so that it looks like you have the original PC that you set up the service with connected to the cable modem still while you can share the connection over the router. And it's trivially easy to change the MAC address of a NIC in Linux and probably most other *nix systems. "ifconfig [iface] hw [class] [address]"

      --
      Sorry, my karma just ran over your dogma.
    9. Re:Don't fuck around w/your modem's MAC. by Shakrai · · Score: 2, Insightful

      I just wish the US ISPs would open their eyes and allow us higher speeds, like almost the rest of the world.

      Not to disagree with you because I like fast downloads as much as the next guy but how much bandwidth do we really need with current technology? Hell, Roadrunner is upgrading from 3.0mbits to 5.0. What do you really need all that speed for? At 3.0 I can download an entire Linux CD in less then 40 minutes.

      If you bump up the speed to insane amounts on the current infrastructure (what's the tops for a cable modem node? 45-50mbits down and 10mbits up IIRC) you'll just wind up with Joe Script Kiddie slowing everybody down for the sake of his illegal copy of XP. Not to mention all the owned Windows boxes out there being used for DDoS attacks that don't really need limitless amounts of bandwidth at their disposal.

      I would like to see higher upload speeds because it's really annoying to try and telecommute at 384k -- I'd say that an even meg would be about right -- but do we really need more download bandwidth?

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    10. Re:Don't fuck around w/your modem's MAC. by DigiShaman · · Score: 4, Interesting

      As a Time Warner employee for the Austin TX area, our cable modems (regardless of brand, be it 3com, Ambit, Toshiba...etc) have a 10.x.x.x IP address that is not accessable to the public. Only if you have direct access to the CMTS system can you upload new BIN configuration files to these modems on the fly. If you make any changes to the modem by chance and uncap your modem, some fuzzy-logic software will check the checksum of the bin files on that modem (so I've been told by the abuse department). If that bin file has been modified or the firmware flashed to something other than what its supposed to have; expect your account to be disabled.

      Chances are at this point, there will be no nogotiation. If so, you will have to find another ISP as we do not tollorate what-so-ever of people uncapping their modems. And believe me, we have quite a nice tech-savy population in Austin that DO try to get away with it.

      --
      Life is not for the lazy.
    11. Re:Don't fuck around w/your modem's MAC. by AndroidCat · · Score: 2, Interesting
      Only if you have direct access to the CMTS system can you upload new BIN configuration files to these modems on the fly.

      It's a good thing that spoofing a CMTS system to the modem and giving it new BIN files, and then the new software lying to checksum/CRC tests is a tricky operation. But don't assume that it's impossible.

      --
      One line blog. I hear that they're called Twitters now.
    12. Re:Don't fuck around w/your modem's MAC. by DigiShaman · · Score: 2, Informative

      If it's your modem, you can do anything you want with it...as long as you do not hack the BIN files that your ISP uploads to the modem (they are stored in RAM, don't worry). The moment you reprogram those config files or anything else that would circumvent the Terms Of Service Agree or Coxs network, expect your account to be disabled.

      --
      Life is not for the lazy.
  2. How long... by KennyP · · Score: 2, Interesting

    Until they are discovered and those modified cable modems are de-serviced?

    Kenny P.
    Visualize Whirled P.'s

    1. Re:How long... by garcia · · Score: 3, Insightful

      Until they are discovered and those modified cable modems are de-serviced?

      I was wondering if people could use a modified firmware that would report a valid modem config file back to the ISP when the ISP scans for ones that were not sanctioned.

      The ISP could powercycle the modems remotely and push new firmware to all the modems rather easily. I would assume that the pushed firmware would include a way to block unauthorized firmware from connecting to the network.

      Who knows if they'd be that interested though?

  3. Note the date.. by Anonymous Coward · · Score: 5, Informative

    ..of the securityfocus story. It says "Feb 5 2004". It's nearly a year old!

  4. Cue FBI raids in 5...4...3.. by EvilStein · · Score: 5, Interesting

    Remember these cable modem tweakers that were raided by the FBI?

    1. Re:Cue FBI raids in 5...4...3.. by garcia · · Score: 3, Informative

      Remember these cable modem tweakers that were raided by the FBI?

      Those individuals were "uncapping" their cable modems by changing their modem config file and uploading it to their modems. That could be labeled theft of service as you are effectively stealing bandwith that you didn't pay for.

      Modifying the firmware on your cable modem doesn't necessarily have to mean uncapping your modem config file and upping your possible bathwidth.

      In fact, this method is quite a bit more difficult than just editing the modem config file (as it requires a hardware interface not just a TFTP server).

    2. Re:Cue FBI raids in 5...4...3.. by Vo0k · · Score: 3, Insightful

      Resident sniffer/logger.
      Simple Firewall.
      Monitor, blinking LEDs on certain kinds of packets arriving.
      "Wake on ring" if not present by default.
      "extra secret storage" in unused flash.
      Changing MAC address...
      *less* bandwidth (throttling your uplink, etc)

      --
      Anagram("United States of America") == "Dine out, taste a Mac, fries"
    3. Re:Cue FBI raids in 5...4...3.. by BRTB · · Score: 2, Informative

      I wouldn't mess with the speed, as I'm sure the second somebody starts blasting 10mbit uploads down the cablenet, somebody on the UBR end will pick it up. I'd be happy with re-enabling the read-only 'public' SNMP on the local IP address of the cable modem... it was really nice pointing MRTG at 192.168.100.1 and reading the transferred-bytes numbers straight out of the modem interface, to say nothing of the signal strength and other genuinely useful info you can read with docsdiag.

  5. Re:Dangerous, and probably illegal. by Neophytus · · Score: 3, Funny

    Please note cable modems do not connect to the telephone network. They connect to the cable company's private wires.

  6. Question by MisanthropicProgram · · Score: 3, Interesting

    Could these guys get arrested or sued under the DMCA?

    1. Re:Question by SCPRedMage · · Score: 2, Informative

      Allow me to spell it out for you: Digital Millennium COPYRIGHT Act. It covers bypassing COPYRIGHT protection measures. Uncapping your modem is NOT bypassing a COPYRIGHT protection measure (although it IS still illegal).

      --
      My sig can beat up your sig.
    2. Re:Question by walt-sjc · · Score: 2, Interesting

      He's probably confused. It's amazing how many people I talk to that say they have DSL that actually have cable modems.

  7. Re:Dangerous, and probably illegal. by Anonymous Coward · · Score: 2, Insightful

    impossible for so many reasons, read up on the phone network, but it is impossible to send any large ammount of electricity down it.

    also you can connect up homebrew devices, the only thing you wil degrade is your own private phone network, no one elses.

    why would it be a DMCA violation in the first place?
    do you even know what it stands for

  8. I was wondering. by FreeLinux · · Score: 2, Interesting

    I was wondering about this. It seems, to me, that this hack will render your modem useless on the cable network. What's the advantage of that?

    Changing tha MAC address will effectively cut off service to your modem. Being able to update the firmware sounds nifty but, do you have new firmware that you need to install? Is there some service that you need so badly, on a cable modem, that you would spend your time writing new firmware for it?

    I just don't see the advantage to this hack. I can see the advantage of previous hacks to uncap a modem but, even those hacks put you at risk of having your service terminated or worse, criminal charges being brought against you.

  9. Re:Dangerous, and probably illegal. by Anonymous Coward · · Score: 2, Funny

    why would it be a DMCA violation in the first place?
    do you even know what it stands for

    I believe it stands for "YHBT".

  10. WOOOHOOO by Anonymous Coward · · Score: 5, Funny

    i cant wait for a few days until all the people that try this hack, are kicked off the network allowing my service to go faster.

    yay for stupid people.

  11. Hacking cellphones by null+etc. · · Score: 5, Insightful

    Now if only these guys can figure out how to enable the Bluetooth features on my v710 phone...

    Try the discussion forums over at wirelessadvisor.com

    I posted a teaser message there once regarding the Motorola T720. By using the USB modem cable and a COM port sniffer, I determined that extended AT modem commands were used to synchronize the phone with the desktop. By posting my findings, someone took the initiative and started a Yahoo! group for hacking the T720. Within a month, the group had 400 members and within five months the group had collectively hacked the T720.

  12. great for deniability in court by Anonymous Coward · · Score: 3, Interesting

    MAC address/IP are often used in court. Things get interesting when people can change or spoof these things.

  13. Great way to lose your service. by papasui · · Score: 4, Insightful

    This violates most acceptable use policies, regardless if your own the cable modem or not changing your modems mac address would fall under hacking as your could cause service interruptions on your network segment for other people. Your paying for internet service not the right to fuck around with a companies million dollar network. We had a kid get arrested for this, changed his modems mac everyday but never changed his nic's. Pretty trivial to track him down.

    1. Re:Great way to lose your service. by papasui · · Score: 3, Informative

      ARP

    2. Re:Great way to lose your service. by Sc00ter · · Score: 3, Informative
      via SNMP and the arp table of the modem. The cable provider still has access to the modem via SNMP.

      --
      Free Mac Mini
    3. Re:Great way to lose your service. by papasui · · Score: 2, Funny

      There was some other factors surrounding this, but I can't discuss it.

    4. Re:Great way to lose your service. by papasui · · Score: 2, Interesting

      He was pushing his own copy of our cm file from his tftp server. He was changing his mac address to avoid being tracked but neglected to change his nic's mac. The rest was just a bit of investigating work. We know what areas combine to what on our network and we tools that match customer info back to the live mac addresses on the system. After that there was only a handful of people that it possibly could be.

  14. Wrong law, bucko. by SCPRedMage · · Score: 2

    It wouldn't be a DMCA issue; DMCA applies to copyright protection. Hacking your modem isn't going to let you bypass some obscure copy-protection scheme.

    --
    My sig can beat up your sig.
  15. Article content by PuppiesOnAcid · · Score: 2, Funny

    Warning: mysql_connect(): Can't connect to MySQL server on 'engdb.agava.com' (61) in /home/t/tcniso.hosting.agava.com/WWW/db_connect.ph p on line 10
    Can't connect to MySQL server on 'engdb.agava.com' (61)

    =)

  16. Explain this to me, please? by khrtt · · Score: 2, Interesting

    The only way you can possibly benefit from this is to uncap the modem, which is about as kosher as petty shoplifting. And you wouldn't need to reflash the modem for it anyways.

    So, if you are not uncapping it, then what's the point? It's not like you are going to add any badly missed features, or make a linux print server out of it. Maybe it's just my lack of imagination, but I just don't see any practical uses for a hacked cable modem. I mean, other than getting the inner satisfaction from proving that you are actually able to read and flash the EEPROM:-). But then, you could just use a screwdriver and an EEPROM programmer...

  17. 2400 bps modems? by Anonymous Coward · · Score: 3, Funny

    I've got a box-full of old 2400 bps modems and it would be great if these guys can find a way to tweak some speed out of them.

  18. Hold up! by El+Camino+SS · · Score: 3, Funny


    The group known as TCNiSO has released a very interesting hardware modification for RCA / Thomson cable modems. The modification is done by grounding the bus clock on the serial EEPROM which throws the device into a diagnostic panic mode. Then by using the debug tools from the embedded console to reprogram the EEPROM, a user can permanently enable a developers menu which gives complete control of the modem, such as modifying the hardware addresses or flashing new firmware. Now if only these guys can figure out how to enable the Bluetooth features on my v710 phone..."

    Whoa, slow down.

    Corky here can't handle frontpage paragraphs like that first thing in the morning.

  19. Motorola V710 phone hack here by scattol · · Score: 4, Informative

    There are instructions on this web site on how to modify your v710 phone to turn on all the bluetooth functionality. You need to register though. Don't know if they work, I haven't tried them so you are on your own.

    If they work, let us know.

    1. Re:Motorola V710 phone hack here by Anonymous Coward · · Score: 3, Informative

      I registed a fake user and posted it on bugmenot.com:

      user: userboy
      pass: pants1

  20. Re:Dangerous, and probably illegal. by papasui · · Score: 3, Informative

    In a two way system yes both a forward and return path are provided completely through the cable provider. In a 1 way system the return path is provided through the phone, Motorola's Surfboard 2100D has a CAT3 connector on it for this purpose. I'll bet that there is still a few of these in the US.

  21. Also Discovered by Jozer99 · · Score: 5, Funny

    It was also discovered that by permanantly grounding the clock, the RCA cable modem could be turned into a full fledged Radeon 9700 Pro...

  22. Uncapping? No... by telemonster · · Score: 2, Interesting

    Uncapping of the rate? No. Promiscuous mode is where the terror begins! Sniffing the traffic on the segment is where the real press will begin.

    --
    Southeastern Virginia REPRESENT!
  23. What about the more legit uses? by anthony_dipierro · · Score: 5, Interesting

    Everyone is talking about how this is a bad thing to do on someone else's network, but what about on your own network? Is it possible to get two cable modems to talk to each other over a coax cable? Can you hack the things to run distributed.net software? There are an awful lot of people out there with cable modems but no cable modem service.

  24. Back in the day... by danuary · · Score: 5, Interesting
    I worked for a startup cablemodem ISP. This was the mid-90's, before DOCSIS; we used proprietary equipment.

    We discovered and hounded the vendor relentlessly about the fact that the modems had a serial port for dial-upstream service. If you jumped a couple pins on the serial port, reset the modem, and plugged in a serial line 9600/8/n/1 you'd get the modem's diagnostics (password protected, albeit with a very weak password).

    The things you could do from the diag screen were downright scary. All this and more. You could determine the downstream and upstream freqs; you could also set the modem to transmit on any upstream frequecncy at any level up to 60dB. We played around with it for a bit. We set up a test modem and had it transmit for a second at 60dB on one of our upstream freqs; it took out ~400 users' service for about a half hour. Had we done it on the PPV freqs, it would have taken out PPV for a few thousand people. Fun stuff.

    And to my knowlege, they never fixed it.