This action might not be possible to undo. Are you sure you want to continue?
This book is intended to be a manual for Haxorware which is a custom cable modem firmware. This is a legal firmware change. This book is NOT intended to demonstrate or condone any illegal practices. DO NOT add information to this book regarding ANY theft of service!
Current Revision: 1.1 R39 Compatibility: All BCM3349 chipset based modems (Including SB5101/E/i, SB5102/E/i, Webstar DPC2100R2, RCA DCM425, Ambit 250/255/256) Versions: DIAG & LITE. DIAG • • • • • LITE Based on sb5101e firmware Does not support SPI flash based modems. Crippled shell & much less diagnostic output in telnet/serial. Static IP option is missing because there is no ipconfig command in the shell anymore (and the entire /ip page is missing too). • The standby button on a 5101 works in LITE • • • • Might not perform optimally on a 8MB ram modem (16/32mb upgrade recommended). Based on sb5102u/n firmware (which includes diagnostic output, console and SPI support) Much more Verbose to troubleshoot issues. Standby button does not work Memory leak on SPI modems fixed in Rev39
Haxorware Modem Firmware/Installation
Installation varies based on your available method. Some methods require different hardware modifications such as a Jtag or serial connector (outside the scope of this pdf) ALWAYS backup current firmware. If you flash a 2mb dump over the existing firmware you will lose the modems original certificates forever.
If your modem is currently running infinite firmware it is recommended to restore it to stock, like it was out of the box. To do this you restore your 2MB backup that i hope you made before flashing infinite. The commands are as follows:
detect ldram 9fc00000 (A File Open dialog will appear, find your 2MB backup file and click open) program 9fc00000 200000
It is recommended you make a backup before flashing haxorware (or any other hacked firmware) onto your modem. To create a 2MB backup with JtagUtility, enter the following commands:
detect getram 9fc00000 200000 save 9fc00000 200000 (A save as dialog will appear, choose where to save your 2MB backup)
To program haxorware to your modem using JtagUtility, issue the following commands:
detect ldram 9fc10000 A File Open dialog will appear, find the haxorware firmware file you want (haxorware11revXX-XXXX.bin) and click open program 9fc10000 130000
After the flashing is complete, reboot your modem and enjoy Haxorware
Flashing over serial:
Diagnostic cable instructions (requires noisy bootloader):
Set your computers ip to 192.168.100.10 Set up a TFTP server with haxorware11revXX-XXXX.bin in its root Connect to modem with hyperterminal or putty (with changed CR/LF to LF) While modem is turning on press p (you should get a prompt) If you do not get a prompt for pressing p, your modem does not have a noisy bootloader, and you will have to use JTAG Set the Modem IP to 192.168.100.1 Leave everything else at their defaults (just press enter) When you get at the bootloader menu press d Enter 192.168.100.10 as TFTP IP Enter haxorware11revXX-XXXX.bin as filename It should download (the dots indicate progress) When asked what image to save to, answer 1 Answer y to the "Store uncompressed image" prompt press b once you are back at the menu to boot the modem
like it was out of the box. To do this you restore your 2MB backup that i hope you made before flashing infinite. find haxorware11revXX-XXXX. To create a 2MB backup with usbjtag enter the following commands: detect getram 9fc00000 200000 save 9fc00000 200000 (A save as dialog will appear. To create a 2MB backup with usbjtag enter the following commands: detect getram 9fc00000 200000 save 9fc00000 200000 (A save as dialog will appear. like it was out of the box. reboot your modem and enjoy Haxorware USBJTAGNT Instructions: If your modem is currently running infinite firmware it is recommended to restore it to stock. find haxorware11revXX-XXXX. please overwrite your usbjtag. After that.bin and click open) program Firmware After the flashing is complete. To do this you restore your 2MB backup that i hope you made before flashing infinite. reboot your modem and enjoy Haxorware . The commands are as follows: detect ldram 9fc00000 (A File Open dialog will appear. choose where to save your 2MB backup) To program haxorware to your modem using USBJTAGNT Start USBJTAGNT and choose the SB5101Mod profile (Tools->Config will open the profile selection dialog) Then issue the following commands: detect ldram Firmware (A File Open dialog will appear. choose where to save your 2MB backup) To program haxorware to your modem using USBJTAG.USBJTAG Instructions: If your modem is currently running infinite firmware it is recommended to restore it to stock. start USBJTAG and choose the SB5101 profile (Tools->Config will open the profile selection dialog) Then issue the following commands: detect ldram Firmware (A File Open dialog will appear. find your 2MB backup file and click open) program 9fc00000 200000 It is recommended you make a backup before flashing haxorware (or any other hacked firmware) onto your modem.bin and click open) program Firmware After the flashing is complete. The commands are as follows: detect ldram 9fc00000 (A File Open dialog will appear.def with the one from this archive. find your 2MB backup file and click open) program 9fc00000 200000 It is recommended you make a backup before flashing haxorware (or any other hacked firmware) onto your modem.
100.100.10 haxorware11revXX-XXXX.168. find haxorware11revXXXXXX.1 Enter your username and password cd /ip ipconfig 1 release y dload -i 1 -l -f 192. and the new version of Haxorware should now boot .1 should now boot Upgrading from Haxorware 1.bin y cd / reset Haxorware 1.1 Make sure the modem's cpu usage is low.0 Set your computers ip to 192. so if it's currently scanning for downstream make it stop by going to the web shell and doing cd /docsis scan_stop The safest time to do the Firmware Upgrade is when the modem is fully operational and online. Then use the Firmware Upgrade page on the WebGUI.100.168.bin in its root Make sure the haxorware webgui isn't currently open Connect to modem with hyperterminal or telnet to the IP 192.Upgrading from previous shelled firmware (infinite) or Haxorware 1.bin and upload it to the modem in the Firmware section Reboot the modem using the WebGUI or otherwise.168.10 Set up a TFTP server with haxorware11revXX-XXXX.
Haxorware Status/Overview HFC Parameters Mode DHCP assigned address or Static IP Address Your currently assigned IP address Subnet Subnet mask applied to your IP address TFTP Server "Provisioned" Config file name assigned by your isp TFTP Filename “Provisioned" Config file name assigned by your isp ToD Server "Provisioned" Time Of Day server IP assigned by your isp to synchronize against. when using one different from what was assigned by the ISP the filename shows here. Configuration file Name "Actual" Config file name in use. Size Config file size 'Compliance ' DOCSIS version compliance of this config file. .
Symbol Rate Number of symbols per second. Higher is faster. Signal to Noise ratio SNR measured in Decibles (Higher is better) Upstream Frequency This is the frequency your upstream channel is on Channel ID Upstream channel number Status Whether the channel is locked or in process Mode TDMA or ATDMA. etc. Receive Power Downstream channel signal strength measured in dBmV. Transmit Power Broadcast signal strength to the head end at your ISP measured in dBmV . QAM16.Haxorware Status/Signal Downstream Frequency This is the frequency your downstream channel is on Status Whether the channel is locked or in process Annex DOCSIS or EURODOCSIS Modulation Modulation rate such as QAM256. (ATDMA is faster) Symbol Rate Number of symbols per second.
Haxorware Status/Event Log Displays Events and errors in operation .
This option bypasses them entirely . Disable Firmware Upgrades This option will force Haxorware to ignore new modem firmware pushes from the ISP. Disable IP Filters on startup IP filters are used by some ISP's to block traffic of certain types on certain ports (such as if your ISP blocks port 80 to prevent you from hosting a web server).even if you are using another one. Unchecking this could compromise your Haxorware install.Haxorware Configuration/Settings settings Factory Mode This forces the modem to behave as if it was supplied by the ISP and bypasses customs settings. Force Network Access Tftp Enforce Bypass If your ISP enforces Tftp config file this option will tell the modem to download the supplied config file at the right point .
WebGUI Password protection enable or disable Password protecting the GUI from tampering. Telnet Server Current state Whether Telnet services are running Run on startup Whether Telnet should start when the modem is booted. .Timeouts Ignore T1 (No valid UCDs) Ignore T2 (Ranging Opportunity) Ignore T3 (Ranging Response) Ignore T4 (Station Maintenance) Administration Control Panel IP Address Set a different IP than standard here if necessary DHCP Server Check this to assign the IP to WAN on router or to PC. or only when manually enabled. Uncheck this ONLY if you have it set manually.
600mhz would actually be entered as 600000000) These are the frequencies checked first before scanning. & 3 is displayed in "Hz" not "mhz" (for example . Plan Choose the type matching your region. Preferred DS Freq 1. .Haxorware Configuration/Frequency Annex . 2.Choose DOCSIS or EURODOCSIS based on your region. Upstream Channel This is the preferred upstream channel to try before scanning for available channels.
Changing this to a number that does not have factory certificates loaded will generate a self signed certificate. Click copy from certificate to change back to mac for current certificate.1 mode. Most ISP's do not accept self signed certificate in BPI+ docsis 1.Haxorware Configuration/Addresses Addresses HFC MAC This is the Mac address your ISP will see for this modem. Ethernet MAC This is the mac address your computer or router sees when querying the modem via ethernet USB MAC This is the mac address your computer or router sees when querying the modem via usb Serial Number This is the Serial number for the modem presented upon query Certificate generation Certificate type When generating certificates this is the type of certificate preferred .
Some ISP's can be tricked to allow you online using a config file saved directly to your modem instead. .Haxorware Configuration/Config File Force Config File Server IP This is the IP address of the TFTP server hosting the config file you want to run. File name This is the filename of the config file you want to pull from the above IP Autoserve Autoserve Config File Disabled until new config is uploaded. Store new config Where you upload a stored config file.
1 must be enabled to use docsis 1. Bypass must be enabled to use 1.1 config files with valid certificates.Haxorware Configuration/Baseline Privacy Baseline Privacy BPI Baseline privacy version running.1 configs with self signed certificates but will not work on all providers Backup/Restore Backup Backup your current certificate set Restore from filesystem Restore uploaded or previously backed up certificate sets Restore from file Certificate Download Download individual certificates Certificate Upload Upload individual certificates here . BPI 1.
This is generally the same as the TFTP server IP .Haxorware Advanced/Static IP Force Static IP Check this to force your modem to override any DHCP assigned Information to the contents below. Note that this does not stop your provider from assigning your IP to another user since you did not pull from their pool. Suppress DHCP Requests Check this to ignore any requests from the provider to provide your modem with a DHCP lease IP Address Enter your desired IP Address here Subnet Mask Enter the applicable subnet mask here Gateway Enter the appropriate gateway here TFTP IP Enter your desired TFTP server IP address here TFTP Filename Enter the Configuration filename on the TFTP server provided you wish to run ToD IP Enter your desired Time Of Day server address here.
Haxorware Advanced/Stealth Modem Identifiers Vendor Enter the manufacturer you want to emulate or tell the ISP you are running Model This is where you enter the Model number information you want to supply Software Version This is where you enter the firmware version you want to supply Override Hardware Version Check this to supply a different hardware version to the vendor other than what it is. Hardware Version Enter the hardware version you want to supply here Override Bootloader Revision Check this to override the default bootloader revision sent to your ISP Bootloader Revision Enter revision information here SNMP Agent Server Port Port number for snmp scans Disable SNMP Agent after registration Check this to disable snmp probe requests from your isp after initial registration when the modem goes online (recommended) Redirect SNMP Traps When SNMP requests are sent redirect them to another device and port (such as another modem on the network) IP IP address to redirect to Port Destination port at redirected IP .
The IP address and Filename may be entered here.Haxorware Advanced/Downloader This page allows you to download config files from your ISP's TFTP server to examine them with programs such as vultureware or autoserve them from the modem. . and clicking download will prompt you with a file save dialog box.
Click upload after picking file to upload .tar (size in bytes) (option)Download Delete Upload New File Choose file dialog prompted when this is clicked.Haxorware Advanced/File Manager Free Space Before Defragmentation Size in KB before a defragmentation is performed After Defragmentation Size in KB after a defragmentation is performed Haxorware Configuration Config File This allows you to Download or Delete the existing config file stored in the modem File Size Filesize of config file in Bytes Entries Number of entries in the config file Restore From File 'Files' Previous backup files or uploaded files are shown here which can be downloaded or deleted in the following format: CMXXXXXXXXXXXX.
.Haxorware Web Shell Any Shell commands can be entered here. These are generally commands you might use when at a file system shell (such as telnet) without having to open an actual session.
You also can restore a previously backed up Nonvol here in case of issues . or do a FULL firmware backup (2MB) to a file. When you click backup you get prompted with a file save dialog.Haxorware Backup and Restore Here you can Backup either your nonvol information.
Haxorware DOES however have provisions to prevent drastically wrong choices (such as accidentally picking a 10kb text file) Bootloader upgrade Bootloader Image Update the bootloader only (such as if you need to load the noisy bootloader to diagnose issues) .Haxorware Firmware upgrade Firmware upgrade Firmware Image Pick the file you want to upload. Be sure to pick the right one.
upstream channel IDs and their power levels. .Haxorware Factory Defaults clears all dynamic settings such as preferred downstream frequencies.
Haxorware About Information about Haxorware .
org/wiki/Haxorware_Modem_Firmware .Haxorware Reboot Modem reboot page Relevant Links • http://www.haxorware.net • http://www.sbhacker.wikibooks.com Original idea educate taken from the wiki article here http://en.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.