You are on page 1of 6

I have compiled some info from different sources which can be useful to configur e SB5100MoD firmware after initial

flashing. Here you will see how to set some o ptions that are present in WebGUI of Haxorware 1.1(based on SB5102N- 0-DIAG) and absent in SB5100MoD (based on SB5100- Most thin gs should be adjusted via telnet and some from WebGUI. Standard Motorola's WebGUI is accessed at Note: There is easter egg (secret page) in standard WebGUI: /gicredits.html SB5100MoD (DD-WRT WebGUI) is accessed at (default passw ord is SB5100MOD) If you cannot access WebGUI by correct password: After you enter password, do no t try to press Enter on keyboard. Press login button with left mouse button inst ead. It should work. There is a bug in SB5100MoD WebGUI. Or maybe in some browse rs? :) In case you have forgot WebGUI password, you can see it in telnet: read_memory 0xbfd40120 In case you have forgot login to telnet, you can see it by using SNMP utils http :// snmpget -v 1 -c public And password to telnet: snmpget -v 1 -c public

So as you see, to maintain security, you need to disable SNMP daemon which by th e way runs on both coax and ethernet interfaces. If you can't do it in CM config , just change SNMP port to some weird value. Before connecting your modem to coax network, consider to go in WebGUI and set f ollowing options: 1. Basic Setup: Factory mode: Disable Configuration Page Changeable: Enable Reboot Disabler: Enable Force Network Access: Enable SNMP Port: 62127 (it should be some weird value in 1-65535 range for example) 2. Clone: Set HFC MAC - that is the MAC all are talking about :) Serial number and Ethernet and USB MACs are optional but some providers check it too. So it could be the good idea to set them too. Change sysDescr and docsDevSwCurrentVers fields. Put your actual version string regarding of ISP. http://www.sbhacker....e-spoof-method/ 3. CM Config Tick: Load Config from Flash Memory and Upload config

4. HTTPD Change password and Enable 5. Telnet Change Login and Password and Enable 6. Press button Restart form Tools (for enabling telnet) or just reboot modem by swithching the power off and on. After that to increase security of your modem enter following commands in telnet . Not in the shell of WebGUI! 1. Disable Factory Mode button in WebGUI of SB5100MoD does not work. And by defa ult that option is on. It's very dangerous to have it on because anybody can fet ch your modem's certificates/keys over the coax. Also it causes low memory issue . So to disable it, use following commands in telnet: cd n/s allow_config false write

2. By default on SB5100MoD, telnet access from coax side is enabled. It's a majo r security risk. So it's good to disable it by following commands: cd n/m telnet_ipstacks 2 write

3. Disable diagnostic agent after registration cd n/s diag_disable_post_reg true write

4. Disable SNMP filters (filters that provider sets to restrict ports and IP ran ges use): cd s filters off yes Note: this command works only until modem reboots. 5. TFTP-enforce bypass on SB5100MoD is always on. Even if Load Config from Flash Memory option in WebGUI is enabled, firmware tries to load config from TFTP ser ver first. And only after successful loading from TFTP, applies config from flas h memory. Note: There is also the bug connected to this behaviour. If TFTP server is down, firmware infinitly cycles on trying to get config file from TFTP server and ("TFTP failed - request sent - No Response" is written to the log) instead of skip trying and just loading it from flash memory

like Haxorware does. Do not know how to edit config files? Read here: http://www.sbhacker....dpost__p __68337 Note: SB5100MoD does not allow to use config files without CmMic (MD5 of config) at the end of config file (which can be stripped off with MD5Remover). If you l oad such config into the modem and will get following string the event log: "BcmCmConfig validation tests failed, re-scanning downstream". In case Config Uploader button in WebGUI does not work (modem reboots) try to do what is written here http://www.sbhacker....loading-config/ For me helped the part with commands in shell of WebGUI. And keep on trying unti l the config uploads no matter reboots modem or not. 6. To set static IP (needed if you want to sniff coax without even be registered at CMTS) cd n/d dhcp_settings fake_reg true write cd / res

7. Disable BPI and BPI+: cd n/d enable bpi false write *************For TimeWarner RoadRunner Tested 8. Enable BPI and switch off BPI+: cd n/d enable bpi true bpi_version 0 write *********************************************** 9. Enable BPI+: cd n/d enable bpi true bpi_version 1 write

10. Clear event log: cd ev flush

11. Ignore unknown messages in event log (Turns off recording and displaying in

telnet "warnings" error messages, like "unknown message type" 31 or 32. That mes sages sometimes show up and flood telnet, waste RAM and CPU and cause modem to r eboot because of low memory) cd n/m se 3 write

Note: Do not wonder if you get incorrect time in event log records. There is a b ug in firmware that appears on some Docsis networks. Firmware sets incorrect UTC Time Offset after ToD reply. Discussed here: http://www.sbhacker....od-tod-prob lem/ Wonder what are those T1,T2,T3,T4 timeouts in the event log? Read description he re: http://www.sbhacker....dpost__p__69851 12. Activating Docsis 1.1 (in case you have problems connecting to that network) cd n/d enable docsis11 true write

13. By default support for Docsis 2.0 ATDMA modulation for upstream channel is s witched off. (in case you have problems connecting to network with that type of upstream channels you can switch it on) cd n/d enable advphy 1 write

14. Select Docsis or EuroDocsis mode. (This is actual for E models only. Read ab out it here http://www.sbhacker....ost__p__69284): cd n/h annex_# cm_annex @ write Note: It is necessary to change the cm_annex too if you change the annex (# = a -> EuroDOCSIS, b -> DOCSIS) (@ = 1 -> Annex A, 0 -> Annex B, 2 - Annex C, 3 hybrid) Remember after any changes, it is recommended to reboot modem. It can be done in WebGUI or in telnet cd / reset

How to check if coax side is ok? Check signal values at corresponding page in st andard WebGUI. Downstream:

Signal to Noise Ratio should be: higher than 33dB (35 preffered) Power Level: -15 to +15dB (-10 to +10 preffered) Upstream: Power Level: < 55 dBmV (less than 50 preffered) Note: more deep info is here: http://www.sbhacker....showtopic=16706 How to flash it the best way: First of all you need a cable. It better to use some USB JTAG but if you cannot get or afford it, there's always the way to build it yourself: http://www.sbhack er....ble-schemetics/ For flashing SB5100MoD it's better to use author's software JTAG Utility v1.3 Tom's Jtag Utility 1. detect (this command gives info about flash chip and loads config for it) 2. getram flash (reads whole flash chip content into PC's memory) 3. save flash (saves whole flash chip content (backup) from PC's memory to HDD) 4. ldram boot (loads noisy bootloader http://www.sbhacker....&attach_id=2332 fro m HDD into PC's memory) 5. program boot (programs bootloader from PC's memory into flash chip) 6. ldram image0 (loads SB5100MoD.bin from HDD into PC's memory) 7. program image0 (programs SB5100MoD.bin from PC's memory into flash chip) If it does not detect flash (when using simple blackcat LPT cable) try to use an other (prefferable older PC) To 1. 2. 3. restore original firmware (from backup): detect ldram flash program flash

If eventually your modem become brick. Read this: http://www.sbhacker....dpost__ p__43620 or recover by using script: http://www.sbhacker....dpost__p__69094 Why noisy bootloader is good? It comes from old good SB4100 modem and comes with Webstar DPC2100 stock firwares. It does not check firmware checksums and sends output of boot process to the serial port and adds you possibility to flash firm ware through serial cable (max232 cable like is used for mobile flashing) which is much faster than flashing firmware by simple JTAG cable. Standard bootloader does not have that options. Here is how to connect that cable to SB5100 board ht tp://www.sbhacker....rd-connections/ You cannot flash firmware with just serial cable without having JTAG cable, beca use you need to make full backup of flash and flash in noisy bootloader with JTA G before connecting serial cable so decide that one only for diagnostic purposes . But in the future, having noisy bootloader in, you can reflash modem's firmwar e by serial cable only without JTAG. If you ever wonder what is inside your modem read it here http://www.sbhacker... .-sb510x-modems/ I addition I can tell you why SB5100 and SB5101 firmwares are so different. Beca use of operating systems. SB5100 uses VxWorks while SB5101 uses eCos. The SB5101 was designed to replace the SB5100 in production. The main difference is that the SB5101 uses the cheaper chipset Broadcom BCM3349 instead of the SB5 100 s BCM3348. It also uses an integrated Broadcom BCM3419 single-chip conversion silicon tuner, instead of a can style tuner. Also, the firmware for the SB5101 i s based on the SB5100, but recompiled using the BCM3349 board support package fr om Broadcom. This minor difference makes firmware for the SB5100 incompatible wi

th the SB5101. The only feature that the SB5101 has that the SB5100 lacks is sup port for up to 16 service IDs (SIDs) instead of the SB5100 s 4, according to Motor ola s published specification. If you wonder about flash types and theirs mappings, read http://www.sbhacker... .showtopic=15349 To see memory status go to the SB5100MoD WebGUI->Tools and press memShow button. Or enter memShow in telnet. Note: If you do not run heavy torrents or do not have issues with rebooting, con sider not to memory mod your SB5100 because it's dangerous operation. If you wan t to do it, just be careful when soldering. Use good soldering technique like sh own here but is advised to use an special SMD rework station. By using simple techniques you can seriously run the risk o f damaging the glue that holds the traces to the PCB! Hope it will help to newbies what is going on with theirs modems http://chapters .scte...TE_detail_2.ppt And this will enlight about hacking process: ppt Another good document: http://www.soldierx....ke_durandal.ppt And of course great Haynes guide: http://www.sbhacker....h&attach_id=924 And to become advanced hacker, you need to learn "Hacking The Cable Modem What C able Companies Don't Want You To Know by DerEngel" book from cover to cover http :// Wonder what's happening when you plug modem in for the first time? http://www.sbhacker....showtopic=16731 Do you ever wonder what does that modulations mean and what are real rates in me gabits? The following table will help (note that is DOCSIS table): Attached Image: DOCSIS mod rates.GIF In firmwares you can see TDMA and ATDMA upstream modulations. They are correspon ding QAM modulations from table above. TDMA - Docsis 1.x, ATDMA - Docsis 2.0. Stay tuned for additions. Corrections are welcome.