Slashdot Mirror

← Back to Stories (view on slashdot.org)

RCA / Thomson Modem Hack Discovered

Posted by Hemos on from the the-joy-of-hacking dept.

An anonymous reader writes "Those un-employed modem hackers are at it again. The group known as TCNiSO has released a very interesting hardware modification for RCA / Thomson cable modems. The modification is done by grounding the bus clock on the serial EEPROM which throws the device into a diagnostic panic mode. Then by using the debug tools from the embedded console to reprogram the EEPROM, a user can permanently enable a developers menu which gives complete control of the modem, such as modifying the hardware addresses or flashing new firmware. Now if only these guys can figure out how to enable the Bluetooth features on my v710 phone..."

29 of 182 comments (clear)

  1. Don't fuck around w/your modem's MAC. by garcia · · Score: 5, Interesting

    Just remember that some cable ISPs use modem MAC authentication and changing your MAC address could possibly disable your access to the Internet. Some cable ISPs use "bottom-up" provisioning which allows you to re-register your modem's MAC address and tie it to your account (useful if you buy your own modem) but others could still be using manual provisioning which could cause delays in regaining block-sync.

    Personally, don't fuck around w/your cable modem. It works just fine the way it is. Hacks are a wonderful educational/mental exercise but I wouldn't exactly be trying this if you don't want to lose connectivity to your ISP.

    1. Re:Don't fuck around w/your modem's MAC. by Saxton · · Score: 4, Insightful

      That, and is there any real functionality you are able to get from this hack? Didn't seem like it. I am guessing for 95% of the people that do it are going to follow the directions, say "yay I did it" and then forget all about it other than being able to tell their friends that they owned their own cable modem.

      *yawn*

      -Aaron

      --
      My name is Aaron Landry, and I approve this message.
    2. Re:Don't fuck around w/your modem's MAC. by Sc00ter · · Score: 3, Interesting
      You could hack the bootp config file and get faster upload/download speeds.

      --
      Free Mac Mini
    3. Re:Don't fuck around w/your modem's MAC. by garcia · · Score: 4, Informative

      So? You can do that w/o a hardware hack using a TFTP server and a text editor. Most cable ISPs already scan their networks for modified cable modem config files and disable them for ToS violations.

    4. Re:Don't fuck around w/your modem's MAC. by Jeff+DeMaagd · · Score: 3, Insightful

      Uncapping or raising your cap is likely in violation of your contract and grounds for termination. Basically if you did this, you could be charged with theft of service.

    5. Re:Don't fuck around w/your modem's MAC. by Sc00ter · · Score: 3, Insightful
      Some versions of the firmware won't allow bootp files to be recived from the ethernet interface. This hack lets you change the firmware to a version that does allow it. So it may still be a required step.

      --
      Free Mac Mini
    6. Re:Don't fuck around w/your modem's MAC. by afidel · · Score: 3, Informative

      MAC addresses are stripped at the first hop so unless someone is specifically looking for you and has a valid search warant I wouldn't be too worried about your MAC address.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    7. Re:Don't fuck around w/your modem's MAC. by DigiShaman · · Score: 4, Interesting

      As a Time Warner employee for the Austin TX area, our cable modems (regardless of brand, be it 3com, Ambit, Toshiba...etc) have a 10.x.x.x IP address that is not accessable to the public. Only if you have direct access to the CMTS system can you upload new BIN configuration files to these modems on the fly. If you make any changes to the modem by chance and uncap your modem, some fuzzy-logic software will check the checksum of the bin files on that modem (so I've been told by the abuse department). If that bin file has been modified or the firmware flashed to something other than what its supposed to have; expect your account to be disabled.

      Chances are at this point, there will be no nogotiation. If so, you will have to find another ISP as we do not tollorate what-so-ever of people uncapping their modems. And believe me, we have quite a nice tech-savy population in Austin that DO try to get away with it.

      --
      Life is not for the lazy.
  2. Re:How long... by garcia · · Score: 3, Insightful

    Until they are discovered and those modified cable modems are de-serviced?

    I was wondering if people could use a modified firmware that would report a valid modem config file back to the ISP when the ISP scans for ones that were not sanctioned.

    The ISP could powercycle the modems remotely and push new firmware to all the modems rather easily. I would assume that the pushed firmware would include a way to block unauthorized firmware from connecting to the network.

    Who knows if they'd be that interested though?

  3. Note the date.. by Anonymous Coward · · Score: 5, Informative

    ..of the securityfocus story. It says "Feb 5 2004". It's nearly a year old!

  4. Cue FBI raids in 5...4...3.. by EvilStein · · Score: 5, Interesting

    Remember these cable modem tweakers that were raided by the FBI?

    1. Re:Cue FBI raids in 5...4...3.. by garcia · · Score: 3, Informative

      Remember these cable modem tweakers that were raided by the FBI?

      Those individuals were "uncapping" their cable modems by changing their modem config file and uploading it to their modems. That could be labeled theft of service as you are effectively stealing bandwith that you didn't pay for.

      Modifying the firmware on your cable modem doesn't necessarily have to mean uncapping your modem config file and upping your possible bathwidth.

      In fact, this method is quite a bit more difficult than just editing the modem config file (as it requires a hardware interface not just a TFTP server).

    2. Re:Cue FBI raids in 5...4...3.. by Vo0k · · Score: 3, Insightful

      Resident sniffer/logger.
      Simple Firewall.
      Monitor, blinking LEDs on certain kinds of packets arriving.
      "Wake on ring" if not present by default.
      "extra secret storage" in unused flash.
      Changing MAC address...
      *less* bandwidth (throttling your uplink, etc)

      --
      Anagram("United States of America") == "Dine out, taste a Mac, fries"
  5. Re:Dangerous, and probably illegal. by Neophytus · · Score: 3, Funny

    Please note cable modems do not connect to the telephone network. They connect to the cable company's private wires.

  6. Question by MisanthropicProgram · · Score: 3, Interesting

    Could these guys get arrested or sued under the DMCA?

  7. WOOOHOOO by Anonymous Coward · · Score: 5, Funny

    i cant wait for a few days until all the people that try this hack, are kicked off the network allowing my service to go faster.

    yay for stupid people.

  8. Hacking cellphones by null+etc. · · Score: 5, Insightful

    Now if only these guys can figure out how to enable the Bluetooth features on my v710 phone...

    Try the discussion forums over at wirelessadvisor.com

    I posted a teaser message there once regarding the Motorola T720. By using the USB modem cable and a COM port sniffer, I determined that extended AT modem commands were used to synchronize the phone with the desktop. By posting my findings, someone took the initiative and started a Yahoo! group for hacking the T720. Within a month, the group had 400 members and within five months the group had collectively hacked the T720.

  9. great for deniability in court by Anonymous Coward · · Score: 3, Interesting

    MAC address/IP are often used in court. Things get interesting when people can change or spoof these things.

  10. Great way to lose your service. by papasui · · Score: 4, Insightful

    This violates most acceptable use policies, regardless if your own the cable modem or not changing your modems mac address would fall under hacking as your could cause service interruptions on your network segment for other people. Your paying for internet service not the right to fuck around with a companies million dollar network. We had a kid get arrested for this, changed his modems mac everyday but never changed his nic's. Pretty trivial to track him down.

    1. Re:Great way to lose your service. by papasui · · Score: 3, Informative

      ARP

    2. Re:Great way to lose your service. by Sc00ter · · Score: 3, Informative
      via SNMP and the arp table of the modem. The cable provider still has access to the modem via SNMP.

      --
      Free Mac Mini
  11. 2400 bps modems? by Anonymous Coward · · Score: 3, Funny

    I've got a box-full of old 2400 bps modems and it would be great if these guys can find a way to tweak some speed out of them.

  12. Hold up! by El+Camino+SS · · Score: 3, Funny


    The group known as TCNiSO has released a very interesting hardware modification for RCA / Thomson cable modems. The modification is done by grounding the bus clock on the serial EEPROM which throws the device into a diagnostic panic mode. Then by using the debug tools from the embedded console to reprogram the EEPROM, a user can permanently enable a developers menu which gives complete control of the modem, such as modifying the hardware addresses or flashing new firmware. Now if only these guys can figure out how to enable the Bluetooth features on my v710 phone..."

    Whoa, slow down.

    Corky here can't handle frontpage paragraphs like that first thing in the morning.

  13. Motorola V710 phone hack here by scattol · · Score: 4, Informative

    There are instructions on this web site on how to modify your v710 phone to turn on all the bluetooth functionality. You need to register though. Don't know if they work, I haven't tried them so you are on your own.

    If they work, let us know.

    1. Re:Motorola V710 phone hack here by Anonymous Coward · · Score: 3, Informative

      I registed a fake user and posted it on bugmenot.com:

      user: userboy
      pass: pants1

  14. Re:Dangerous, and probably illegal. by papasui · · Score: 3, Informative

    In a two way system yes both a forward and return path are provided completely through the cable provider. In a 1 way system the return path is provided through the phone, Motorola's Surfboard 2100D has a CAT3 connector on it for this purpose. I'll bet that there is still a few of these in the US.

  15. Also Discovered by Jozer99 · · Score: 5, Funny

    It was also discovered that by permanantly grounding the clock, the RCA cable modem could be turned into a full fledged Radeon 9700 Pro...

  16. What about the more legit uses? by anthony_dipierro · · Score: 5, Interesting

    Everyone is talking about how this is a bad thing to do on someone else's network, but what about on your own network? Is it possible to get two cable modems to talk to each other over a coax cable? Can you hack the things to run distributed.net software? There are an awful lot of people out there with cable modems but no cable modem service.

  17. Back in the day... by danuary · · Score: 5, Interesting
    I worked for a startup cablemodem ISP. This was the mid-90's, before DOCSIS; we used proprietary equipment.

    We discovered and hounded the vendor relentlessly about the fact that the modems had a serial port for dial-upstream service. If you jumped a couple pins on the serial port, reset the modem, and plugged in a serial line 9600/8/n/1 you'd get the modem's diagnostics (password protected, albeit with a very weak password).

    The things you could do from the diag screen were downright scary. All this and more. You could determine the downstream and upstream freqs; you could also set the modem to transmit on any upstream frequecncy at any level up to 60dB. We played around with it for a bit. We set up a test modem and had it transmit for a second at 60dB on one of our upstream freqs; it took out ~400 users' service for about a half hour. Had we done it on the PPV freqs, it would have taken out PPV for a few thousand people. Fun stuff.

    And to my knowlege, they never fixed it.