Cable Modem Hacking Guide With PicturesVersion VII

Written By MonkeywrencherFor additional tutorials support forums and downloads visit http://www.theoryshare.com

Disclaimer:

THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIEDWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLEFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ONANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAYOUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THEPOSSIBILITY OF SUCH DAMAGE.

FAQs Read First:

1. What cable modem models can be modified?

While other models may be uncapped Theoryshare supports only the Motorola SurfboardSB3100 - SB5100 Models excluding VOIP models and the SB4220. The SB4100 andSB4200 can easily be modifed using netbooting with the uncap kit. The SB3100 can alsobe modified through software but its more difficult. The SB5100 can be modified but youmust solder an adapter to the modem motherboard in order to change the firmware orperform any modifications.

2. Is this process illegal?

Generally, modifying a device that you purchased is not illegal, or using our devices on anetwork that you own or have permission, is not illegal. There are many restrictions todoing so, and every country is different. Theoryshare takes no responsibilty for useractions.

3. Can I steal service with your products/software?

While under certain circumstances products sold or distributed through Theoryshare maybe used to steal service, Theoryshare does not condone cable theft and no support will begiven to any user wishing to steal service.

4. I am having trouble with this process is there a easier way to uncap my connection?

Yes. If you are having problems with this process you can purchase a pre-modifiedmodem from Theoryshare which is ready out of the box or you may sent your surfboardinto be modified. Pre-Modified modems will work on any Docsis network. You can visitthe store here:http://www.theoryshare.com/index.php?option=com_phpshop&page=shop.browse&category_id=1&option=com_phpshop&Itemid=30

5.I am having trouble with this process but I would like to continue, but need support.

Visit our free support forums at http://www.theoryshare.com

Preamble:

Basically the point of this process is to increase the speed of your cable modem usingmodified firmware or by using a special program to change the config file your modemboots with. The prior is the preferred method, both methods will work only on MotorolaSurfboard cable modems SB4200 and earlier. Firmware modification is compatible withSB4100 and SB4200 modems. Firmware modification is also possible on the SB5100however it requires you make a special cable which you solder to the modem'smotherboard. The schematics for this cable can be found in the forums athttp://theoryshare.com if you generally have problems with computers or you just want aeasy way to get uncapped visit the Theoryshare store:http://www.theoryshare.com/index.php?option=com_phpshop&page=shop.browse&category_id=1&option=com_phpshop&Itemid=30

Below is a description written by one user about uncapping, premods and whatmodification its all about:

What is Cable Modem Modification, Uncapping, and What are PremodsTell me More

Written by Shifter

Improving your speed is a definite given. Right now, I'm subscribed to the 4000/384, butI sniffed out a config file with speeds of 8800/1000. That's what I'm running at rightnow. There are lots of hard to find configs out there, but a 3rd party sniffer or the built insniffer can find them if you let it go for awhile. Depending on your isp, you could sniffout 16000/2000. It all comes down to what the isp has to offer. Some people are luckyenough to still be able to get their modem to bypass the tftp server and take a modifiedconfig file from a spoofed server set up on their system. That is very rare today, butthose that can do it are able to set their upload/download to custom values.

As far as getting caught, your isp has ways of finding out who's using their bandwidth,but it costs more money and takes time to do so. In most cases, and because you are notdisrupting the network, it's not worth their time/money. Plus, you are flying under theradar.

In the few, public cases that individuals have been caught, they were totally abusing thebandwidth. Like leaving Bit Torrent or other file sharing programs running at full speedindefinitely. Red flags will fly if an unknown source is downloading several TeraBytes amonth as well as uploading countless Gigabytes. Not to mention the server type, FTPsetups that were being utilized. The entire situation was ugly.

Cable internet is a shared connection. Killing the bandwidth causes problems for

other users on the node.

I've yet to read a post from someone here at Theoryshare regarding their isp watchingthem or sending out any letters. That's because we go about our internet business asusual. These people, myself included, enjoy the faster speeds and use close to the sameamount of bandwidth as before. It's not planned or anything. I just continue with mynormal activities.

My speeds are just faster.

Currently, the Surfboard series modems (SB3100 - SB4200) are able to be uncappedwithout any need of cables. Just download the Uncapping Kit and follow the steps. That'sit.

The SB5100 took quite some time to exploit. Finally, this year, it became an option. Inorder to uncap the SB5100, you will need a blackcat cable. This cable will need to besoldered on to specific points inside the modem. You will then need the flash software toget it going.

For more information, help and updates, visit http://theoryshare.com if you do not have aSurfboard Modem, or find this process is too hard for you to complete; pre-modifiedmodems are for sale at http://theoryshare.com which include the modem pre-modifiedwith firmware and support. Also support forums FAQs and P2P support are available.

Before Continuing Read the Following:

Some things to know before using this guide – Make sure you understand these:

1. This process is real and can increase the speeds you get from your cable service.

2. This guide may not work with all modems it is currently only known to work withsurfboard modems but should work with others.

3. No matter how much you uncap you can be caught JUST AS EASILY use at your ownrisk.

4. Don't be disappointed if this does not work for you certain configurations with yourmodem or isp may prevent you from properly performing this process.

5. I CANNOT help you if you do NOT have a Surfboard modem.

6. Finally please read through all of the documentation before asking me or anyone elsefor support thank you.

7. Every Step must be followed exactly as stated, in exact order. Deviation will

result in FAILURE.

There are 2 good ways to Uncap the first is to use hacked firmware the second is usingDHCP Force. Both methods will work on Surfboard 3100/4100/4200 cable modems but

DHCP force has been reported to work on many modems despite it was designed only forMotorolas so if this doesn't work it probably can't be done with your modem.

Uncapping With Hacked Firmware

If you have not read all the information prior to this please do so now. If you ignore

this warning you will most likely have problems when you continue.

FIRST THIS WILL ONLY WORK WITH SUFBOARD SB4100,SB4101, and SB4200Modems. It will not work with any other modems. For the SB3100 you must use theAlternate method for loading firmware. IF YOU ARE ON A EURODOCSIS SYSTEM

THIS PROCESS WILL WORK WITH ONLY THE 3100, 4200 AND YOU WILLNEED TO FOLLOW STEP 4B.

If you have trouble with this process help/support forums are available athttp://theoryshare.com

STEP 1: Go to your modem config page http://192.168.100.1 and reset all defaults then unplugyour modem from power and coax. DO NOT REBOOT YOUR MODEM only reset alldefaults it will not take as long as it says.

STEP 2 :

Go to network settings in control panel and change your network settings.

Change your network settings to the following:

IP ADDRESS: 192.168.100.10

SUBNET: 255.255.255.0

GATEWAY: 192.168.100.1

DNS: Leave blank

Once finished Disable then Enable your network interface.

STEP 3: Open NetBoot and verify the boxes 'Enable FTP Server', “Reset Modem Before Booting”and “Auto IP” are checked. Now plug your modem in to POWER ONLY. Then afterabout 1 minute, press boot over network. Your modem should reset then begin a powerup DO NOT reset your modem this may take a minute or two. Once Netboot shows thatthe FTP Client has been disconnected your modem is finished net booting and you maygo on to the next step. DO NOT CLOSE SBRIDER

PICTURES BELOW

Before Net Boot

After Successful Net Boot

STEP 4:

After your modem has been net booted return to your cable modem config pagehttp://192.168.100.1 and go to the hack tab. Scroll down to “Upgrade Firmware” Proceedto upgrade your firmware with the firmware corresponding to your cable modem in theFirmware folder. Fiberware firmware is for advanced users only and is not recommendedfor general use. At this point your modem will begin upgrading DO NOT unplug yourmodem or change pages on your browser until your modem reboots this in rare cases maytake up to 5 minutes. Once your modem has rebooted return to the config page and verifythat the firmware has been updated by seeing if the hack tab is available. If so you mayplug your modem back into coax and go on at this stage the firmware is permanentlyloaded and no further action is required to make it stay on the modem.

Once this upgrade is finished you may change your IP back to normal and you can accessthe internet and the hacked firmware.

Step 4B: EURO DOCSIS WORK AROUND: -NEW

If you are on a Euro Docsis System you need to follow this step otherwise proceed to step5.

Step 1: Open a command line (Start run cmd.exe) or open your favorite telnet

client. At the command line type: telnet 192.168.100.1

Step 2:Stop the scanning task, type BroadcomDebugMode(1); and hit enter.Step 3:Create an instance of the CmApi (which has your config in it):pCmApi=Instance__5CmApi() and then get a copy of your config: pCfg=GetCm-Config(pCmApi);

Step 4:Change the Frequency plan by running SetFreqPlanType(pCmApi,0x1);

*Note, the flag at the end of this command sets the scan table:

ScanTable

NorthAmerica

Europe China Japan

Flag 0x0 0x1 0x2 0x3

Step 5:With the instance of your modified class, save it to the Cable modem using this com-mand: SetCmConfig(pCmApi,pCfg);

Step 6:Reboot the modem and go to: http://192.168.100.1/configdata.htmlIf you did everything right (and the shell did not crash) it should be changed. If the shelldid crash, unplug the modem for 30 seconds and try it again

STEP 5:

All Cable Modems use config files that control your modem’s speed, importance and afew other parameters. Each time your modem boots it automatically downloads a configfile chosen by your isp. To uncap you must identify a config file which has faster speedsthan the one you are currently using.

The Hackware firmware that you have just loaded includes a config file sniffer under thesniffer tab. At this point the easiest route to take is to leave the modem on for a few hoursthen check back to see if your config list has been updated. Often config names are quiteobvious as to what speed they will give you because of their name. If the config filenames you have are not easy to understand you may have to try a few. If the configs donot have anything in common and there are a large number of them you are on a dynamicconfig system and perform a method known as mac cloning visit http://theoryshare.comfor more details. If you find a config you want to try simply go back to the hack page andenter the name of the config you want to load and save the change. Reboot the modemand look at the max download/upload speed listed in the hack page this tells you how fastthe config is if you do not know.

If you have Trouble Finding Configs or Simply want to find more use the method below:

Open the SNMPCfg Admin Program locate the ip address range near the bottom. Thenfor the first # in the range put your hfc ip address listed in the DHCP Force Application.For the second value put a address considerably higher but no to much higher. EX.10.142.1.213 --> 10.142.255.255 is a reasonable value. 10.142.1.213 --> 255.255.255.255is not. Play around with this application to find a range that will best suit you. After theinfo has been entered use the mass get function to retrieve the config names. Then pressthe + next to the names to get a ip address list. Put one of the addresses from each configinto the step 1 program to find out which config is the fastest in many cases this is notnecessary however because the configs are named like BANNED.cm, BRONZE.cm,GOLD.cm, PLATINUM.cm in which case knowing which is the fastest does not requirea technical solution.

If the configs do not list you will need to retrieve your current config an explanation forthis can be found in the archive this was distributed in.

After you have retrieved the config open it with Config Edit and locate your communitystring. It should be a line something like this

snmp_mib_object 1.3.6.1.3.83.1.2.1.4.2 = string "YHaPLFR8";

Enter this string into SNMPCfg to find the config names. After you have found the confignames. You can set you modem to download it when it boots using the config bootcommand. If your isp uses dynamic configs (each modem gets a unique config) you willneed to use the following oids Download: 1.3.6.1.2.1.10.127.1.1.3.1.5.1 or Upload:1.3.6.1.2.1.10.127.1.1.3.1.3.1 in SNMPcfg then once you find a faster modem find its

mac address and clone it. This is not difficult and there are many 3rd party programs thatcan help you with this. Refer to the firmware command list for all functions.

Note that the SB3100 uses a different hacked firmware than the SB4XXX Series all of itsfunctions can be accessed by going to http://192.168.100.1/tcniso.html this samefirmware can be used on the SB4XXX series but it is not recommended. You can find the4XXX images and many others here: http://thescentoflove.com/test

Alternate Update Method:

Open CMfirm for CM address go to http://192.168.100.1 and then to addresses. Use yourHFC ip address. Leave community string alone for firmware server enter your public ipaddress. For firmware file select the correct update file for your modem this will be a .hex.bin.

If the update will not go through it is because of 1 of 2 things either your firmwareversion is higher than SB3100-3.2.15-SCM00-NOSHELL for the SB3100 orSB4200/4100-0.4.4.2-SCM01-NOSH for the 4100/4200.

The other is that you must discover your read/write community string. Follow the configfile retrival tutorial and open the config. Inside the config look for a item like this:

snmp_mib_object 1.3.6.1.3.83.1.2.1.4.2 = string "YHaPLFR8";

in this case YhaPLFR8 is the community string. Once this is done run the firmwareupdate.

If this method still does not work because you have a high firmware version like 4.4.2 or3.1.17 then use the 2 modem downgrade method you can use either 2 of your ownmodems or you can get a person locally on the same isp to help you.

Once the new firmware is loaded on the modem you will need to tell your modem to boota faster config file.

Uncapping using DHCP Force

Step By Step

1. Find the MAC Address of your cable modem this is usually found on a sticker on thecable modem or in the documentation which came with it. Open the DHCP forceapplication put the modem's mac address and use the discover function. Then writedown the values that are provided in the boxes. Another useful place to modeminformation for surfboard is the modem's web page which can be found athttp://192.168.100.1 While other modems may have similar web pages I do not know

how to locate them.

2. Open the SNMPCfg Admin Program locate the ip address range near the bottom. Thenfor the first # in the range put your hfc ip address listed in the DHCP ForceApplication. For the second value put a address considerably higher but no to muchhigher. EX. 10.142.1.213 --> 10.142.255.255 is a reasonable value. 10.142.1.213 -->255.255.255.255 is not. Play around with this application to find a range that will bestsuit you. After the info has been entered use the mass get function to retrieve theconfig names. Then press the + next to the names to get a ip address list. Put one of theaddresses from each config into the step 1 program to find out which config is thefastest in many cases this is not necessary however because the configs are named likeBANNED.cm, BRONZE.cm, GOLD.cm, PLATINUM.cm in which case knowingwhich is the fastest does not require a technical solution. If the configs do not list youwill need to retrieve your current config an explanation for this can be found in thearchive this was distributed in. After you have retrieved the config open it with ConfigEdit and locate your community string. Enter this string into SNMPCfg to find theconfig names and then later also modify this parameter in DHCP Force.

3. Open the DHCP Force Application, before you can try to uncap you must first disablethe media sense option. This can be found under the DHCP menu. Once media sense isdisabled you will most likely have to restart your computer. After your computer isrestarted open the DHCP Force application again enter your modem's MAC Addressand use the discover function. This time after the discover finishes change the configfile name to the name of the faster config you found using SNMPCfg admin. Click thestart button in DHCP Force then reboot your cable modem. The easiest way to do thisis to unplug it and then plug it back in. Wait until the modem is fully booted up thenstop the DHCP Force and try to get online. Do not reboot your modem again howeverbecause this will set your modem back to its original settings. If all went well youshould be on at a faster speed now.

If you need help visit the free support forums at: http://www.theoryshare.com

Also at Theoryshare you will find pre-modified modems for sale if you do not have asurfboard 4100/4200 and a flashing service if you have trouble or are unable to flash yourmodem.

You can contact us at admin@theoryshare.com

If this guide has been helpful to you please consider purchasing a product fromTheoryshare to help keep the website running and to make it better.

Thanks for the Fibercoax Group and the TCNISO for software used in this kit. Hackwarefirmware written by Kuyza