Haxorware Modem Firmware

This book is intended to be a manual for Haxorware which is a custom cable modem firmware.
This is a legal firmware change.
This book is NOT intended to demonstrate or condone any illegal practices.
DO NOT add information to this book regarding ANY theft of serice!
Overview
Current Revision: "." #$%
Compatibility: All &'($$)% chipset based modems *+ncluding ,&-"."/0/i1 ,&-".2/0/i1 3ebstar
D4'2"..#21 #'A D'()2-1 Ambit 2-./2--/2-56
Versions: D+A7 8 9+T0.
D+A7
(ight not perform optimally on a :(& ram modem *"5/$2mb upgrade recommended6.
&ased on sb-".2u/n firmware *which includes diagnostic output1 console and ,4+ support6
(uch more ;erbose to troubleshoot issues.
,tandby button does not work
(emory leak on ,4+ modems fixed in #e$%
9+T0
&ased on sb-"."e firmware
Does not support ,4+ flash based modems.
'rippled shell 8 much less diagnostic output in telnet/serial.
,tatic +4 option is missing because there is no ipconfig command in the shell anymore *and
the entire /ip page is missing too6.
The standby button on a -"." works in 9+T0
Haxorware Modem Firmware/Installation
+nstallation aries based on your aailable method. ,ome methods re<uire different hardware
modifications such as a =tag or serial connector *outside the scope of this pdf6 A93AY, backup
current firmware. +f you flash a 2mb dump oer the existing firmware you will lose the modems
original certificates foreer.
Jtagtility Instru!tions:
+f your modem is currently running infinite firmware it is recommended to restore it to stock1 like it
was out of the box. To do this you restore your 2(& backup that i hope you made before flashing
infinite. The commands are as follows>
detect
ldram 9fc00000
(A File Open dialog will appear, find your 2MB backup file and click open)
program 9fc00000 200000
+t is recommended you make a backup before flashing haxorware *or any other hacked firmware6
onto your modem. To create a 2(& backup with =tag?tility1 enter the following commands>
detect
getram 9fc00000 200000
a!e 9fc00000 200000
(A a!e a dialog will appear, c"ooe w"ere to a!e your 2MB backup)
To program haxorware to your modem using =tag?tility1 issue the following commands>
detect
ldram 9fc#0000
A File Open dialog will appear, find t"e "a$orware firmware file you want
("a$orware##re!%%&%%%%'bin) and click open
program 9fc#0000 #(0000
After the flashing is complete1 reboot your modem and en@oy Haxorware
Flas"ing over serial:
Diagnostic cable instructions *re<uires noisy bootloader6>
)et your computer ip to #92'#*+'#00'#0
)et up a ,F,- er!er wit" "a$orware##re!%%&%%%%'bin in it root
.onnect to modem wit" "yperterminal or putty (wit" c"anged ./01F to 1F)
2"ile modem i turning on pre p (you "ould get a prompt)
3f you do not get a prompt for preing p, your modem doe not "a!e a noiy
bootloader, and you will "a!e to ue 4,A5
)et t"e Modem 3- to #92'#*+'#00'#
1ea!e e!eryt"ing ele at t"eir default (6ut pre enter)
2"en you get at t"e bootloader menu pre d
7nter #92'#*+'#00'#0 a ,F,- 3-
7nter "a$orware##re!%%&%%%%'bin a filename
3t "ould download (t"e dot indicate progre)
2"en aked w"at image to a!e to, anwer #
Anwer y to t"e 8)tore uncompreed image8 prompt
pre b once you are back at t"e menu to boot t"e modem
#$J%&' Instru!tions:
+f your modem is currently running infinite firmware it is recommended to restore it to stock1 like it
was out of the box. To do this you restore your 2(& backup that i hope you made before flashing
infinite. The commands are as follows>
detect
ldram 9fc00000
(A File Open dialog will appear, find your 2MB backup file and click open)
program 9fc00000 200000
+t is recommended you make a backup before flashing haxorware *or any other hacked firmware6
onto your modem. To create a 2(& backup with usb@tag enter the following commands>
detect
getram 9fc00000 200000
a!e 9fc00000 200000
(A a!e a dialog will appear, c"ooe w"ere to a!e your 2MB backup)
To program haxorware to your modem using ?,&=TA71 please oerwrite your usb@tag.def with the
one from this archie. After that1 start ?,&=TA7 and choose the ,&-"." profile *ToolsAB'onfig
will open the profile selection dialog6 Then issue the following commands>
detect
ldram Firmware
(A File Open dialog will appear, find "a$orware##re!%%&%%%%'bin and click open)
program Firmware
After the flashing is complete1 reboot your modem and en@oy Haxorware
#$J%&'(% Instru!tions:
+f your modem is currently running infinite firmware it is recommended to restore it to stock1 like it
was out of the box. To do this you restore your 2(& backup that i hope you made before flashing
infinite. The commands are as follows>
detect
ldram 9fc00000
(A File Open dialog will appear, find your 2MB backup file and click open)
program 9fc00000 200000
+t is recommended you make a backup before flashing haxorware *or any other hacked firmware6
onto your modem. To create a 2(& backup with usb@tag enter the following commands>
detect
getram 9fc00000 200000
a!e 9fc00000 200000
(A a!e a dialog will appear, c"ooe w"ere to a!e your 2MB backup)
To program haxorware to your modem using ?,&=TA7NT ,tart ?,&=TA7NT and choose the
,&-"."(od profile *ToolsAB'onfig will open the profile selection dialog6 Then issue the following
commands>
detect
ldram Firmware
(A File Open dialog will appear, find "a$orware##re!%%&%%%%'bin and click open)
program Firmware
After the flashing is complete1 reboot your modem and en@oy Haxorware
pgrading )rom previous s"elled )irmware *in)inite+ or
Haxorware ,-.
)et your computer ip to #92'#*+'#00'#0
)et up a ,F,- er!er wit" "a$orware##re!%%&%%%%'bin in it root
Make ure t"e "a$orware webgui in9t currently open
.onnect to modem wit" "yperterminal or telnet to t"e 3- #92'#*+'#00'#
7nter your uername and paword
cd 0ip
ipconfig # releae
y
dload &i # &l &f #92'#*+'#00'#0 "a$orware##re!%%&%%%%'bin
y
cd 0
reet
Haxorware "." should now boot
pgrading )rom Haxorware ,-,
Make ure t"e modem9 cpu uage i low, o if it9 currently canning for
downtream make it top by going to t"e web "ell and doing
cd 0doci
can:top
,"e afet time to do t"e Firmware ;pgrade i w"en t"e modem i fully
operational and online'
,"en ue t"e Firmware ;pgrade page on t"e 2eb5;3, find "a$orware##re!%%&
%%%%'bin and upload it to t"e modem in t"e Firmware ection
/eboot t"e modem uing t"e 2eb5;3 or ot"erwie, and t"e new !erion of
<a$orware "ould now boot
Haxorware #tatus/Overview
HFC /arameters
Mode DH'4 assigned address or ,tatic
I/ &ddress Your currently assigned +4 address
#ubnet ,ubnet mask applied to your +4 address
%F%/ #erver C4roisionedC 'onfig file name assigned by your isp
%F%/ Filename D4roisionedC 'onfig file name assigned by your isp
%o0 #erver C4roisionedC Time Of Day serer +4 assigned by your isp to synchroniEe against.
Con)iguration )ile (ame CActualC 'onfig file name in use. when using one different from what
was assigned by the +,4 the filename shows here.
#i1e 'onfig file siEe FCompliance ' DO',+, ersion compliance of this config file.
Haxorware #tatus/#ignal
0ownstream
Fre2uen!y This is the fre<uency your downstream channel is on
#tatus 3hether the channel is locked or in process
&nnex DO',+, or 0?#ODO',+,
Modulation (odulation rate such as GA(2-51 GA("51 etc. Higher is faster.
#ymbol Rate Number of symbols per second.
Re!eive /ower Downstream channel signal strength measured in d&m;.
#ignal to (oise ratio ,N# measured in Decibles *Higher is better6
pstream
Fre2uen!y This is the fre<uency your upstream channel is on
C"annel I0 ?pstream channel number
#tatus 3hether the channel is locked or in process
Mode TD(A or ATD(A. *ATD(A is faster6
#ymbol Rate Number of symbols per second.
%ransmit /ower &roadcast signal strength to the head end at your +,4 measured in d&m;
Haxorware #tatus/3vent 4og
Displays 0ents and errors in operation
Haxorware Con)iguration/#ettings
settings
Fa!tory Mode This forces the modem to behae as if it was supplied by the +,4 and bypasses
customs settings.
0isable Firmware pgrades This option will force Haxorware to ignore new modem firmware
pushes from the +,4. ?nchecking this could compromise your Haxorware install.
For!e (etwor5 &!!ess
%)tp 3n)or!e $ypass +f your +,4 enforces Tftp config file this option will tell the modem to
download the supplied config file at the right point A een if you are using another one.
0isable I/ Filters on startup +4 filters are used by some +,4Fs to block traffic of certain types on
certain ports *such as if your +,4 blocks port :. to preent you from hosting a web serer6. This
option bypasses them entirely
%imeouts
Ignore %, *(o valid C0s+
Ignore %6 *Ranging Opportunity+
Ignore %7 *Ranging Response+
Ignore %8 *#tation Maintenan!e+
&dministration
Control /anel I/ &ddress ,et a different +4 than standard here if necessary
0HC/ #erver 'heck this to assign the +4 to 3AN on router or to 4'. ?ncheck this ON9Y if you
hae it set manually.
9eb'I
/assword prote!tion enable or disable 4assword protecting the 7?+ from tampering.
%elnet #erver
Current state 3hether Telnet serices are running
Run on startup 3hether Telnet should start when the modem is booted1 or only when manually
enabled.
Haxorware Con)iguration/Fre2uen!y
&nnex A 'hoose DO',+, or 0?#ODO',+, based on your region.
/lan 'hoose the type matching your region.
/re)erred 0# Fre2 ,: 6: ; 7 is displayed in CHEC not CmhEC *for example A 5..mhE would actually
be entered as 5........6 These are the fre<uencies checked first before scanning.
pstream C"annel This is the preferred upstream channel to try before scanning for aailable
channels.
Haxorware Con)iguration/&ddresses
&ddresses
HFC M&C This is the (ac address your +,4 will see for this modem. 'hanging this to a number
that does not hae factory certificates loaded will generate a self signed certificate. (ost +,4Fs do
not accept self signed certificate in &4+H docsis "." mode. 'lick copy from certificate to change
back to mac for current certificate.
3t"ernet M&C This is the mac address your computer or router sees when <uerying the modem ia
ethernet
#$ M&C This is the mac address your computer or router sees when <uerying the modem ia usb
#erial (umber This is the ,erial number for the modem presented upon <uery
Certi)i!ate generation
Certi)i!ate type 3hen generating certificates this is the type of certificate preferred
Haxorware Con)iguration/Con)ig File
For!e Con)ig File
#erver I/ This is the +4 address of the TIT4 serer hosting the config file you want to run.
File name This is the filename of the config file you want to pull from the aboe +4
&utoserve
&utoserve Con)ig File Disabled until new config is uploaded. ,ome +,4Fs can be tricked to allow
you online using a config file saed directly to your modem instead.
#tore new !on)ig 3here you upload a stored config file.
Haxorware Con)iguration/$aseline /riva!y
$aseline /riva!y
$/I &aseline priacy ersion running. &4+ "." must be enabled to use docsis "." config files with
alid certificates. &ypass must be enabled to use "." configs with self signed certificates but will not
work on all proiders
$a!5up/Restore
$a!5up &ackup your current certificate set
Restore )rom )ilesystem #estore uploaded or preiously backed up certificate sets
Restore )rom )ile
Certi)i!ate 0ownload
Download indiidual certificates
Certi)i!ate pload
?pload indiidual certificates here
Haxorware &dvan!ed/#tati! I/
For!e #tati! I/ 'heck this to force your modem to oerride any DH'4 assigned +nformation to the
contents below. Note that this does not stop your proider from assigning your +4 to another user
since you did not pull from their pool.
#uppress 0HC/ Re2uests 'heck this to ignore any re<uests from the proider to proide your
modem with a DH'4 lease
I/ &ddress 0nter your desired +4 Address here
#ubnet Mas5 0nter the applicable subnet mask here
'ateway 0nter the appropriate gateway here
%F%/ I/ 0nter your desired TIT4 serer +4 address here
%F%/ Filename 0nter the 'onfiguration filename on the TIT4 serer proided you wish to run
%o0 I/ 0nter your desired Time Of Day serer address here. This is generally the same as the TIT4
serer +4
Haxorware &dvan!ed/#tealt"
Modem Identi)iers
Vendor 0nter the manufacturer you want to emulate or tell the +,4 you are running
Model This is where you enter the (odel number information you want to supply
#o)tware Version This is where you enter the firmware ersion you want to supply
Override Hardware Version 'heck this to supply a different hardware ersion to the endor other
than what it is.
Hardware Version 0nter the hardware ersion you want to supply here
Override $ootloader Revision 'heck this to oerride the default bootloader reision sent to your
+,4
$ootloader Revision 0nter reision information here
#(M/ &gent
#erver /ort 4ort number for snmp scans
0isable #(M/ &gent a)ter registration 'heck this to disable snmp probe re<uests from your isp
after initial registration when the modem goes online *recommended6
Redire!t #(M/ %raps 3hen ,N(4 re<uests are sent redirect them to another deice and port
*such as another modem on the network6
I/ +4 address to redirect to
/ort Destination port at redirected +4
Haxorware &dvan!ed/0ownloader
This page allows you to download config files from your +,4Fs TIT4 serer to examine them with
programs such as ultureware or autosere them from the modem.
The +4 address and Iilename may be entered here1 and clicking download will prompt you with a
file sae dialog box.
Haxorware &dvan!ed/File Manager
Free #pa!e
$e)ore 0e)ragmentation ,iEe in J& before a defragmentation is performed
&)ter 0e)ragmentation ,iEe in J& after a defragmentation is performed
Haxorware Con)iguration
Con)ig File This allows you to Download or Delete the existing config file stored in the modem
File #i1e IilesiEe of config file in &ytes
3ntries Number of entries in the config file
Restore From File
FFiles< 4reious backup files or uploaded files are shown here which can be downloaded or deleted
in the following format>
'(KKKKKKKKKKKK.tar *siEe in bytes6 *option6Download Delete
pload (ew File
'hoose file dialog prompted when this is clicked. 'lick upload after picking file to upload
Haxorware 9eb #"ell
Any ,hell commands can be entered here. These are generally commands you might use when at a
file system shell *such as telnet6 without haing to open an actual session.
Haxorware $a!5up and Restore
Here you can &ackup either your nonol information1 or do a I?99 firmware backup *2(&6 to a
file. 3hen you click backup you get prompted with a file sae dialog.
You also can restore a preiously backed up Nonol here in case of issues
Haxorware Firmware upgrade
Firmware upgrade
Firmware Image 4ick the file you want to upload. &e sure to pick the right one. Haxorware DO0,
howeer hae proisions to preent drastically wrong choices *such as accidentally picking a ".kb
text file6
$ootloader upgrade
$ootloader Image ?pdate the bootloader only *such as if you need to load the noisy bootloader to
diagnose issues6
Haxorware Fa!tory 0e)aults
clears all dynamic settings such as preferred downstream fre<uencies1 upstream channel +Ds and
their power leels.
Haxorware &bout
+nformation about Haxorware
Haxorware Reboot
(odem reboot page
Relevant 4in5s
http>//www.sbhacker.net
http>//www.haxorware.com
Original idea educate taken from the wiki article here
http>//en.wikibooks.org/wiki/HaxorwareL(odemLIirmware