Forgot your password?
typodupeerror
Hardware Hacking IT

RCA / Thomson Modem Hack Discovered 182

Posted by Hemos
from the the-joy-of-hacking dept.
An anonymous reader writes "Those un-employed modem hackers are at it again. The group known as TCNiSO has released a very interesting hardware modification for RCA / Thomson cable modems. The modification is done by grounding the bus clock on the serial EEPROM which throws the device into a diagnostic panic mode. Then by using the debug tools from the embedded console to reprogram the EEPROM, a user can permanently enable a developers menu which gives complete control of the modem, such as modifying the hardware addresses or flashing new firmware. Now if only these guys can figure out how to enable the Bluetooth features on my v710 phone..."
This discussion has been archived. No new comments can be posted.

RCA / Thomson Modem Hack Discovered

Comments Filter:
  • by garcia (6573) * on Monday December 27, 2004 @11:51AM (#11191600) Homepage
    Just remember that some cable ISPs use modem MAC authentication and changing your MAC address could possibly disable your access to the Internet. Some cable ISPs use "bottom-up" provisioning which allows you to re-register your modem's MAC address and tie it to your account (useful if you buy your own modem) but others could still be using manual provisioning which could cause delays in regaining block-sync.

    Personally, don't fuck around w/your cable modem. It works just fine the way it is. Hacks are a wonderful educational/mental exercise but I wouldn't exactly be trying this if you don't want to lose connectivity to your ISP.
    • by Saxton (34078) on Monday December 27, 2004 @11:59AM (#11191686) Homepage
      That, and is there any real functionality you are able to get from this hack? Didn't seem like it. I am guessing for 95% of the people that do it are going to follow the directions, say "yay I did it" and then forget all about it other than being able to tell their friends that they owned their own cable modem.

      *yawn*

      -Aaron
      • by Sc00ter (99550) on Monday December 27, 2004 @12:03PM (#11191716) Homepage
        You could hack the bootp config file and get faster upload/download speeds.

        • by garcia (6573) * on Monday December 27, 2004 @12:08PM (#11191756) Homepage
          So? You can do that w/o a hardware hack using a TFTP server and a text editor. Most cable ISPs already scan their networks for modified cable modem config files and disable them for ToS violations.
          • by Sc00ter (99550) on Monday December 27, 2004 @12:26PM (#11191888) Homepage
            Some versions of the firmware won't allow bootp files to be recived from the ethernet interface. This hack lets you change the firmware to a version that does allow it. So it may still be a required step.

            • by DigiShaman (671371) on Monday December 27, 2004 @01:16PM (#11192273) Homepage
              As a Time Warner employee for the Austin TX area, our cable modems (regardless of brand, be it 3com, Ambit, Toshiba...etc) have a 10.x.x.x IP address that is not accessable to the public. Only if you have direct access to the CMTS system can you upload new BIN configuration files to these modems on the fly. If you make any changes to the modem by chance and uncap your modem, some fuzzy-logic software will check the checksum of the bin files on that modem (so I've been told by the abuse department). If that bin file has been modified or the firmware flashed to something other than what its supposed to have; expect your account to be disabled.

              Chances are at this point, there will be no nogotiation. If so, you will have to find another ISP as we do not tollorate what-so-ever of people uncapping their modems. And believe me, we have quite a nice tech-savy population in Austin that DO try to get away with it.
              • i'm confused. how does modifying hardware that i own affect how my isp limits traffic?

                note: i'm on cox cable in virginia, i got my cable modem from somewhere other than my isp.
              • Only if you have direct access to the CMTS system can you upload new BIN configuration files to these modems on the fly.

                It's a good thing that spoofing a CMTS system to the modem and giving it new BIN files, and then the new software lying to checksum/CRC tests is a tricky operation. But don't assume that it's impossible.

                • It's not impossible. But, why would anyone spend hundreds (actually, more like thousands) of dollars on the custom CMTS hardware required? They would be spending *WAY* more than the business class internet access would for a number of years.

              • our cable modems (regardless of brand, be it 3com, Ambit, Toshiba...etc) have a 10.x.x.x IP address that is not accessable to the public. Only if you have direct access to the CMTS system can you upload new BIN configuration files to these modems on the fly.
                Well, I hope you don't use Motorola SB3100 or SB4100 modems, since they have a documented ARP poisoning attack that causes the modem to TFTP its config from the local Ethernet segment instead of the headend.
        • by Jeff DeMaagd (2015) on Monday December 27, 2004 @12:11PM (#11191781) Homepage Journal
          Uncapping or raising your cap is likely in violation of your contract and grounds for termination. Basically if you did this, you could be charged with theft of service.
      • "That, and is there any real functionality you are able to get from this hack? Didn't seem like it."

        That depends with my cable company a unknown MAC is allowed to be up and running for three days...
        Think about it for a moment.

        Almost everything is tied to the MAC of the modem.
        There is some debate IF they could identify you with a forged MAC maybe the three block radius but the account? Maybe, maybe not. Depends on the system you are in and for my company they could not find you.
      • What functionality to you get from any hack? 99% of the hacks you see on Slashdot have no functional purpose, beyond some small (even imaginary) improvement in features or efficiency. Which is hardly worth the risk of damaging the thing you're trying to hack.

        But all hacks are useful for teaching yourself about the technology. And that's not a small goal.

    • Good point. However, one could easily make a note of the original MAC address, and change it back to the original, if it causes a problem.

      On the topic of MAC addresses, i'm not sure if enough people treat it as a privacy issue. AFAIK, MAC addresses are globally unique, thus uniquely identifying an individual user. Even IP addresses are sometimes dynamic (depending on the ISP), and can be "masked" by using a suitable proxy. MAC, OTOH, is almost like a digital fingerprint.

      Does anyone else share the same con
    • I was wondering. (Score:3, Interesting)

      by FreeLinux (555387)
      I was wondering about this. It seems, to me, that this hack will render your modem useless on the cable network. What's the advantage of that?

      Changing tha MAC address will effectively cut off service to your modem. Being able to update the firmware sounds nifty but, do you have new firmware that you need to install? Is there some service that you need so badly, on a cable modem, that you would spend your time writing new firmware for it?

      I just don't see the advantage to this hack. I can see the advantage
    • It works just fine the way it is.

      And what if it doesn't? I know I was calling my cable company ever week, month after month, and they sent a different trained monkey out every time, to change a different section of wire, and declare the problem all fixed... for about 5 minutes after they left.

      I'm glad I switched to DSL. But for those who might not have such an option, it's nice to be able to get detailed info yourself, and possibly make the necessary changes to get your service working.

      Isn't this sla

  • How long... (Score:2, Interesting)

    by KennyP (724304)
    Until they are discovered and those modified cable modems are de-serviced?

    Kenny P.
    Visualize Whirled P.'s
    • Re:How long... (Score:4, Insightful)

      by garcia (6573) * on Monday December 27, 2004 @11:54AM (#11191632) Homepage
      Until they are discovered and those modified cable modems are de-serviced?

      I was wondering if people could use a modified firmware that would report a valid modem config file back to the ISP when the ISP scans for ones that were not sanctioned.

      The ISP could powercycle the modems remotely and push new firmware to all the modems rather easily. I would assume that the pushed firmware would include a way to block unauthorized firmware from connecting to the network.

      Who knows if they'd be that interested though?
  • Note the date.. (Score:5, Informative)

    by Anonymous Coward on Monday December 27, 2004 @11:55AM (#11191637)
    ..of the securityfocus story. It says "Feb 5 2004". It's nearly a year old!
  • by Anonymous Coward
    The group's website is being served through a hacked cable-modem connection.
  • by EvilStein (414640) <spam@pbRASPp.net minus berry> on Monday December 27, 2004 @11:58AM (#11191675) Homepage
    Remember these cable modem tweakers [geek.com] that were raided by the FBI?

    • by garcia (6573) * on Monday December 27, 2004 @12:02PM (#11191710) Homepage
      Remember these cable modem tweakers that were raided by the FBI?

      Those individuals were "uncapping" their cable modems by changing their modem config file and uploading it to their modems. That could be labeled theft of service as you are effectively stealing bandwith that you didn't pay for.

      Modifying the firmware on your cable modem doesn't necessarily have to mean uncapping your modem config file and upping your possible bathwidth.

      In fact, this method is quite a bit more difficult than just editing the modem config file (as it requires a hardware interface not just a TFTP server).
      • Very true, but do you really think that "more bandwidth" was *not* on their minds?

        I can't think of many other reasons to get in to a cable modem to dick around with it. I'm sure there are a few that people will come up with, but I chalk it up to the "Eh, who cares?" file. :P
        • by Vo0k (760020) on Monday December 27, 2004 @12:21PM (#11191846) Journal
          Resident sniffer/logger.
          Simple Firewall.
          Monitor, blinking LEDs on certain kinds of packets arriving.
          "Wake on ring" if not present by default.
          "extra secret storage" in unused flash.
          Changing MAC address...
          *less* bandwidth (throttling your uplink, etc)
        • I wouldn't mess with the speed, as I'm sure the second somebody starts blasting 10mbit uploads down the cablenet, somebody on the UBR end will pick it up. I'd be happy with re-enabling the read-only 'public' SNMP on the local IP address of the cable modem... it was really nice pointing MRTG at 192.168.100.1 and reading the transferred-bytes numbers straight out of the modem interface, to say nothing of the signal strength and other genuinely useful info you can read with docsdiag [ntlworld.com].
      • Those individuals were "uncapping" their cable modems by changing their modem config file and uploading it to their modems. That could be labeled theft of service as you are effectively stealing bandwith that you didn't pay for.

        Silly question... how does one measure the amount of theft in these cases? By the byte? If you are not paying for the service this is easy, the theft would be equal to the monthly rate normally charged. But if you are paying for service how can you measure the amount of theft th
  • Question (Score:3, Interesting)

    by MisanthropicProgram (763655) on Monday December 27, 2004 @12:00PM (#11191690)
    Could these guys get arrested or sued under the DMCA?
    • No. They didn't circumvent any mechanisms protecting copyrighted data in order to use that data. (and this is strictly what DMCA is about)
      You could say they circumvented the protection (doubtful, the protection wasn't anywhere near to "efficient" as DMCA states) to access the copyrighted firmware. Except their aim is not to steal the original firmware but to replace it with their own, so the intent part isn't fulfilled at all. If they downloaded the firmware and started spreading it over BitTorrent, sure, t
  • WOOOHOOO (Score:5, Funny)

    by Anonymous Coward on Monday December 27, 2004 @12:06PM (#11191743)
    i cant wait for a few days until all the people that try this hack, are kicked off the network allowing my service to go faster.

    yay for stupid people.
    • allowing my service to go faster.

      Not possible. The primary reason for this hack in the first place, is to stop your cable-modem from limiting your bandwidth.

      If you were the only node on the entire network, you wouldn't see the slightest bit of a speed-up.

      I switched to DSL, and couldn't be happier about it. Costs less, and MANY times faster.
  • Hacking cellphones (Score:5, Insightful)

    by null etc. (524767) on Monday December 27, 2004 @12:08PM (#11191753)
    Now if only these guys can figure out how to enable the Bluetooth features on my v710 phone...

    Try the discussion forums over at wirelessadvisor.com

    I posted a teaser message there once regarding the Motorola T720. By using the USB modem cable and a COM port sniffer, I determined that extended AT modem commands were used to synchronize the phone with the desktop. By posting my findings, someone took the initiative and started a Yahoo! group for hacking the T720. Within a month, the group had 400 members and within five months the group had collectively hacked the T720.
    • I went with T-mobile and a Nokia 6600 specifically because of this busted-by-design decision regarding bluetooth and Verizon. While I doubt they lose more customers than they generate through the revenue they soak out of people, it *does* matter to a significant amount of people.

      (btw, the Nokia bluetooth isn't as nice as the bluetooth on Sony phones like the t610, but I think that is due to bad coding more than by design.)

    • Not quite the same kind of hacking. The USB cable is meant to be used the way you used it. (Very likely you could have found out the same thing by reading the SDK manuals, though it is more fun to discover this stuff on your own.) But Verizon seems to have decided that their customers can't be allowed to use Bluetooth except for specific authorized purposes. Getting around their limitations involves disabling the activation and modifying the firmware [typepad.com]. Not for the faint of heart!
  • mirror, anyone? (Score:2, Redundant)

    by bodrell (665409)
    only 14 comments, and site's down already.
  • by Anonymous Coward on Monday December 27, 2004 @12:12PM (#11191784)
    MAC address/IP are often used in court. Things get interesting when people can change or spoof these things.
  • by papasui (567265) on Monday December 27, 2004 @12:15PM (#11191798) Homepage
    This violates most acceptable use policies, regardless if your own the cable modem or not changing your modems mac address would fall under hacking as your could cause service interruptions on your network segment for other people. Your paying for internet service not the right to fuck around with a companies million dollar network. We had a kid get arrested for this, changed his modems mac everyday but never changed his nic's. Pretty trivial to track him down.
  • Warning: mysql_connect(): Can't connect to MySQL server on 'engdb.agava.com' (61) in /home/t/tcniso.hosting.agava.com/WWW/db_connect.ph p on line 10
    Can't connect to MySQL server on 'engdb.agava.com' (61)

    =)
  • by khrtt (701691) on Monday December 27, 2004 @12:24PM (#11191870)
    The only way you can possibly benefit from this is to uncap the modem, which is about as kosher as petty shoplifting. And you wouldn't need to reflash the modem for it anyways.

    So, if you are not uncapping it, then what's the point? It's not like you are going to add any badly missed features, or make a linux print server out of it. Maybe it's just my lack of imagination, but I just don't see any practical uses for a hacked cable modem. I mean, other than getting the inner satisfaction from proving that you are actually able to read and flash the EEPROM:-). But then, you could just use a screwdriver and an EEPROM programmer...
    • I mean, other than getting the inner satisfaction from proving that you are actually able to read and flash the EEPROM:-). But then, you could just use a screwdriver and an EEPROM programmer...

      i can see now some gang of script kiddies in a basement. they've got some retired guy tied up in front of a console. mom won't let them buy any weapons so they are threatening him with a screwdriver. "M4K3 TEH CH1p W3RK OR W3 W177 ST@B j00!!!!!@#111"
    • So, if you are not uncapping it, then what's the point?

      You can evesdrop on all the other cable-modem users on your segment (could be nearly 1000). You can change your MAC address for anonymous access, or even free access.

      You can't make it into a print server, but it could easily become a router, firewall, NAT box, etc.
  • by Anonymous Coward on Monday December 27, 2004 @12:27PM (#11191890)
    I've got a box-full of old 2400 bps modems and it would be great if these guys can find a way to tweak some speed out of them.
  • This article brings joy to me. It's great to see serious hardcore development like this, on a shoestring. 21st century Thomas Alva Edisons and Alexander Graham Bells.
  • This is an intelictually intersting exercise. I suppose the idiots that have no business doing this sort of thing will diswaded by the soldering and cabling requirements. The really persistant dumbasses will have their ISP cut off their service when they violate their terms of service.

    But the thing that really comes to my attention is:Never leave debug code in production firmware. Proves I haven't been paranoid for no reason these years!

  • Hold up! (Score:4, Funny)

    by El Camino SS (264212) on Monday December 27, 2004 @12:57PM (#11192121)

    The group known as TCNiSO has released a very interesting hardware modification for RCA / Thomson cable modems. The modification is done by grounding the bus clock on the serial EEPROM which throws the device into a diagnostic panic mode. Then by using the debug tools from the embedded console to reprogram the EEPROM, a user can permanently enable a developers menu which gives complete control of the modem, such as modifying the hardware addresses or flashing new firmware. Now if only these guys can figure out how to enable the Bluetooth features on my v710 phone..."

    Whoa, slow down.

    Corky here can't handle frontpage paragraphs like that first thing in the morning.

  • by scattol (577179) on Monday December 27, 2004 @01:03PM (#11192163)
    There are instructions on this web site [tellushow.com] on how to modify your v710 phone to turn on all the bluetooth functionality. You need to register though. Don't know if they work, I haven't tried them so you are on your own.

    If they work, let us know.
  • by Jozer99 (693146) on Monday December 27, 2004 @01:11PM (#11192239)
    It was also discovered that by permanantly grounding the clock, the RCA cable modem could be turned into a full fledged Radeon 9700 Pro...
  • Uncapping? No... (Score:3, Interesting)

    by telemonster (605238) on Monday December 27, 2004 @01:19PM (#11192289) Homepage
    Uncapping of the rate? No. Promiscuous mode is where the terror begins! Sniffing the traffic on the segment is where the real press will begin.

  • by anthony_dipierro (543308) on Monday December 27, 2004 @01:24PM (#11192335) Journal
    Everyone is talking about how this is a bad thing to do on someone else's network, but what about on your own network? Is it possible to get two cable modems to talk to each other over a coax cable? Can you hack the things to run distributed.net software? There are an awful lot of people out there with cable modems but no cable modem service.
  • Back in the day... (Score:5, Interesting)

    by danuary (748394) on Monday December 27, 2004 @01:41PM (#11192477)
    I worked for a startup cablemodem ISP. This was the mid-90's, before DOCSIS; we used proprietary equipment.

    We discovered and hounded the vendor relentlessly about the fact that the modems had a serial port for dial-upstream service. If you jumped a couple pins on the serial port, reset the modem, and plugged in a serial line 9600/8/n/1 you'd get the modem's diagnostics (password protected, albeit with a very weak password).

    The things you could do from the diag screen were downright scary. All this and more. You could determine the downstream and upstream freqs; you could also set the modem to transmit on any upstream frequecncy at any level up to 60dB. We played around with it for a bit. We set up a test modem and had it transmit for a second at 60dB on one of our upstream freqs; it took out ~400 users' service for about a half hour. Had we done it on the PPV freqs, it would have taken out PPV for a few thousand people. Fun stuff.

    And to my knowlege, they never fixed it.

  • So far we've had had many replies about how this will violate ToS and is Theft of Service. I would not presume to disagree... it's generally a stupid idea to do something illegal with any broadcast device.

    But what about applications that don't involve the cable company what so ever? For example is it possible to set one modem in host and the other to client so one could use a pair to communicate? If so would there be an advantage in terms of range over let's say cat5 ethernet?

Faith may be defined briefly as an illogical belief in the occurence of the improbable. - H. L. Mencken

Working...