Cable Modem Hacking Guide With Pictures

Version VII
Written By Monkeywrencher
For additional tutorials support orums and downloads !isit http"##www$theoryshare$com
%isclaimer"
&HI' '(F&W)*+ I' P*(VI%+% ,,)' I'-- ).% )./ +0P*+'' (* IMP1I+%
W)**).&I+'2 I.C13%I.G2 B3& .(& 1IMI&+% &(2 &H+ IMP1I+%
W)**).&I+' (F M+*CH).&)BI1I&/ ).% FI&.+'' F(* ) P)*&IC31)*
P3*P('+ )*+ %I'C1)IM+%$ I. .( +V+.& 'H)11 &H+ )3&H(* B+ 1I)B1+
F(* )./ %I*+C&2 I.%I*+C&2 I.CI%+.&)12 'P+CI)12 +0+MP1)*/2 (*
C(.'+43+.&I)1 %)M)G+' 5I.C13%I.G2 B3& .(& 1IMI&+% &(2
P*(C3*+M+.& (F '3B'&I&3&+ G((%' (* '+*VIC+'6 1('' (F 3'+2 %)&)2
(* P*(FI&'6 (* B3'I.+'' I.&+**3P&I(.7 H(W+V+* C)3'+% ).% (.
)./ &H+(*/ (F 1I)BI1I&/2 WH+&H+* I. C(.&*)C&2 '&*IC& 1I)BI1I&/2
(* &(*& 5I.C13%I.G .+G1IG+.C+ (* (&H+*WI'+7 )*I'I.G I. )./ W)/
(3& (F &H+ 3'+ (F &HI' '(F&W)*+2 +V+. IF )%VI'+% (F &H+
P(''IBI1I&/ (F '3CH %)M)G+$
F)4s *ead First"
8$ What cable modem models can be modiied9
While other models may be uncapped &heoryshare supports only the Motorola 'urboard
'B:8;; < 'B=8;; Models e>cluding V(IP models and the 'B?@@;$ &he 'B?8;; and
'B?@;; can easily be modied using netbooting with the uncap kit$ &he 'B:8;; can also
be modiied through sotware but its more diicult$ &he 'B=8;; can be modiied but you
must solder an adapter to the modem motherboard in order to change the irmware or
perorm any modiications$
@$ Is this process illegal9
Generally2 modiying a de!ice that you purchased is not illegal2 or using our de!ices on a
network that you own or ha!e permission2 is not illegal$ &here are many restrictions to
doing so2 and e!ery country is dierent$ &heoryshare takes no responsibilty or user
actions$
:$ Can I steal ser!ice with your products#sotware9
While under certain circumstances products sold or distributed through &heoryshare may
be used to steal ser!ice2 &heoryshare does not condone cable thet and no support will be
gi!en to any user wishing to steal ser!ice$
?$ I am ha!ing trouble with this process is there a easier way to uncap my connection9
/es$ I you are ha!ing problems with this process you can purchase a pre<modiied
modem rom &heoryshare which is ready out o the bo> or you may sent your surboard
into be modiied$ Pre<Modiied modems will work on any %ocsis network$ /ou can !isit
the store here" http"##www$theoryshare$com#inde>$php9
optionAcomBphpshopCpageAshop$browseCcategoryBidA8CoptionAcomBphpshopCItemi
dA:;
=$I am ha!ing trouble with this process but I would like to continue2 but need support$
Visit our ree support orums at http"##www$theoryshare$com
Preamble"
Basically the point o this process is to increase the speed o your cable modem using
modiied irmware or by using a special program to change the conig ile your modem
boots with$ &he prior is the preerred method2 both methods will work only on Motorola
'urboard cable modems 'B?@;; and earlier$ Firmware modiication is compatible with
'B?8;; and 'B?@;; modems$ Firmware modiication is also possible on the 'B=8;;
howe!er it reDuires you make a special cable which you solder to the modem-s
motherboard$ &he schematics or this cable can be ound in the orums at
http"##theoryshare$com i you generally ha!e problems with computers or you Eust want a
easy way to get uncapped !isit the &heoryshare store"
http"##www$theoryshare$com#inde>$php9
optionAcomBphpshopCpageAshop$browseCcategoryBidA8CoptionAcomBphpshopCItemi
dA:;
Below is a description written by one user about uncapping2 premods and what
modiication its all about"
What is Cable Modem Modiication2 3ncapping2 and What are Premods
&ell me More
Written by 'hiter
Impro!ing your speed is a deinite gi!en$ *ight now2 I-m subscribed to the ?;;;#:F?2 but
I snied out a conig ile with speeds o FF;;#8;;;$ &hat-s what I-m running at right now$
&here are lots o hard to ind conigs out there2 but a :rd party snier or the built in
snier can ind them i you let it go or awhile$ %epending on your isp2 you could sni
out 8G;;;#@;;;$ It all comes down to what the isp has to oer$ 'ome people are lucky
enough to still be able to get their modem to bypass the ttp ser!er and take a modiied
conig ile rom a spooed ser!er set up on their system$ &hat is !ery rare today2 but those
that can do it are able to set their upload#download to custom !alues$
)s ar as getting caught2 your isp has ways o inding out who-s using their bandwidth2
but it costs more money and takes time to do so$ In most cases2 and because you are not
disrupting the network2 it-s not worth their time#money$ Plus2 you are lying under the
radar$
In the ew2 public cases that indi!iduals ha!e been caught2 they were totally abusing the
bandwidth$ 1ike lea!ing Bit &orrent or other ile sharing programs running at ull speed
indeinitely$ *ed lags will ly i an unknown source is downloading se!eral &eraBytes a
month as well as uploading countless Gigabytes$ .ot to mention the ser!er type2 F&P
setups that were being utiliHed$ &he entire situation was ugly$
Cable internet is a shared connection. Killing the bandwidth causes problems for
other users on the node.
I-!e yet to read a post rom someone here at &heoryshare regarding their isp watching
them or sending out any letters$ &hat-s because we go about our internet business as
usual$ &hese people2 mysel included2 enEoy the aster speeds and use close to the same
amount o bandwidth as beore$ It-s not planned or anything$ I Eust continue with my
normal acti!ities$
My speeds are Eust aster$
Currently2 the 'urboard series modems 5'B:8;; < 'B?@;;7 are able to be uncapped
without any need o cables$ Iust download the 3ncapping Jit and ollow the steps$ &hat-s
it$
&he 'B=8;; took Duite some time to e>ploit$ Finally2 this year2 it became an option$ In
order to uncap the 'B=8;;2 you will need a blackcat cable$ &his cable will need to be
soldered on to speciic points inside the modem$ /ou will then need the lash sotware to
get it going$
Written by 'hiter
For more inormation2 help and updates2 !isit http"##theoryshare$com i you do not ha!e a
'urboard Modem2 or ind this process is too hard or you to complete6 pre<modiied
modems are or sale at http"##theoryshare$com which include the modem pre<modiied
with irmware and support$ )lso support orums F)4s and P@P support are a!ailable$
Beore Continuing *ead the Following"
'ome things to know beore using this guide K Make sure you understand these"
8$ &his process is real and can increase the speeds you get rom your cable ser!ice$
@$ &his guide may not work with all modems it is currently only known to work with
surboard modems but should work with others$
:$ .o matter how much you uncap you can be caught I3'& )' +)'I1/ use at your own
risk$
?$ %on-t be disappointed i this does not work or you certain conigurations with your
modem or isp may pre!ent you rom properly perorming this process$
=$ I C)..(& help you i you do .(& ha!e a 'urboard modem$
G$ Finally please read through all o the documentation beore asking me or anyone else
or support thank you$
7. Every Step must be followed exactly as stated, in exact order. Deviation will result
in !"#$%E.
&here are @ good ways to 3ncap the irst is to use hacked irmware the second is using
%HCP Force$ Both methods will work on 'urboard :8;;#?8;;#?@;; cable modems but
%HCP orce has been reported to work on many modems despite it was designed only or
Motorolas so i this doesn-t work it probably can-t be done with your modem$
$ncapping &ith 'ac(ed irmware
"f you have not read all the information prior to this please do so now. "f you ignore
this warning you will most li(ely have problems when you continue.
FI*'& &HI' WI11 (.1/ W(*J WI&H '3FB()*% 'B?8;;2'B?8;82 and 'B?@;;
Modems$ It will not work with any other modems$ For the 'B:8;; you must use the
)lternate method or loading irmware$ IF /(3 )*+ (. ) +3*(%(C'I' '/'&+M
&HI' P*(C+'' WI11 W(*J WI&H (.1/ &H+ :8;;2 ?@;; ).% /(3 WI11 .++%
&( F(11(W '&+P ?B$
I you ha!e trouble with this process help#support orums are a!ailable at
http"##theoryshare$com
'&+P 8"
Go to your modem conig page http"##8L@$8GF$8;;$8 and reset all deaults then unplug
your modem rom power and coa>$ %( .(& *+B((& /(3* M(%+M only reset all
deaults it will not take as long as it says$
'&+P @ "
Go to network settings in control panel and change your network settings$
Change your network settings to the ollowing"
IP )%%*+''" 8L@$8GF$8;;$8;
'3B.+&" @==$@==$@==$;
G)&+W)/" 8L@$8GF$8;;$8
%.'" 1ea!e blank
(nce inished %isable then +nable your network interace$
'&+P :"
(pen .etBoot and !eriy the bo>es -+nable F&P 'er!er-2 M*eset Modem Beore BootingN
and M)uto IPN are checked$ .ow plug your modem in to P(W+* (.1/$ &hen ater
about 8 minute2 press boot o!er network$ /our modem should reset then begin a power up
%( .(& reset your modem this may take a minute or two$ (nce .etboot shows that the
F&P Client has been disconnected your modem is inished net booting and you may go on
to the ne>t step$ %( .(& C1('+ 'B*I%+*
)"C*$%ES +E#,&
+efore -et +oot
!fter Successful -et +oot
'&+P ?"
)ter your modem has been net booted return to your cable modem conig page
http"##8L@$8GF$8;;$8 and go to the hack tab$ 'croll down to M3pgrade FirmwareN Proceed
to upgrade your irmware with the irmware corresponding to your cable modem in the
Firmware older$ Fiberware irmware is or ad!anced users only and is not recommended
or general use$ )t this point your modem will begin upgrading %( .(& unplug your
modem or change pages on your browser until your modem reboots this in rare cases may
take up to = minutes$ (nce your modem has rebooted return to the conig page and !eriy
that the irmware has been updated by seeing i the hack tab is a!ailable$ I so you may
plug your modem back into coa> and go on at this stage the irmware is permanently
loaded and no urther action is reDuired to make it stay on the modem$
(nce this upgrade is inished you may change your IP back to normal and you can access
the internet and the hacked irmware$
'tep ?B" +3*( %(C'I' W(*J )*(3.%" <.+W
I you are on a +uro %ocsis 'ystem you need to ollow this step otherwise proceed to step
=$
'tep 8" (pen a command line 5'tart run cmd$e>e7 or open your a!orite
telnet client$ )t the command line type" telnet 8L@$8GF$8;;$8
'tep @"
'top the scanning task2 type Broadcom%ebugMode5876 and hit enter$
'tep :"
Create an instance o the Cm)pi 5which has your conig in it7"
pCm)piAInstanceBB=Cm)pi57 and then get a copy o your conig"
pCgAGetCmConig5pCm)pi76

'tep ?"
Change the FreDuency plan by running 'etFreDPlan&ype5pCm)pi2;>876

O.ote2 the lag at the end o this command sets the scan table"
'can
&able
.orth
)merica
+urope China Iapan
Flag ;>; ;>8 ;>@ ;>:

'tep ="
With the instance o your modiied class2 sa!e it to the Cable modem using this
command" 'etCmConig5pCm)pi2pCg76

'tep G"
*eboot the modem and go to" http"##8L@$8GF$8;;$8#conigdata$html
I you did e!erything right 5and the shell did not crash7 it should be changed$ I the shell
did crash2 unplug the modem or :; seconds and try it again
'&+P ="
)ll Cable Modems use conig iles that control your modemPs speed2 importance and a
ew other parameters$ +ach time your modem boots it automatically downloads a conig
ile chosen by your isp$ &o uncap you must identiy a conig ile which has aster speeds
than the one you are currently using$
&he Hackware irmware that you ha!e Eust loaded includes a conig ile snier under the
snier tab$ )t this point the easiest route to take is to lea!e the modem on or a ew hours
then check back to see i your conig list has been updated$ (ten conig names are Duite
ob!ious as to what speed they will gi!e you because o their name$ I the conig ile
names you ha!e are not easy to understand you may ha!e to try a ew$ I the conigs do
not ha!e anything in common and there are a large number o them you are on a dynamic
conig system and perorm a method known as mac cloning !isit http"##theoryshare$com
or more details$ I you ind a conig you want to try simply go back to the hack page and
enter the name o the conig you want to load and sa!e the change$ *eboot the modem
and look at the ma> download#upload speed listed in the hack page this tells you how ast
the conig is i you do not know$
I you ha!e &rouble Finding Conigs or 'imply want to ind more use the method below"
(pen the '.MPCg )dmin Program locate the ip address range near the bottom$ &hen
or the irst Q in the range put your hc ip address listed in the %HCP Force )pplication$
For the second !alue put a address considerably higher but no to much higher$ +0$
8;$8?@$8$@8: <<R 8;$8?@$@==$@== is a reasonable !alue$ 8;$8?@$8$@8: <<R
@==$@==$@==$@== is not$ Play around with this application to ind a range that will best
suit you$ )ter the ino has been entered use the mass get unction to retrie!e the conig
names$ &hen press the S ne>t to the names to get a ip address list$ Put one o the
addresses rom each conig into the step 8 program to ind out which conig is the astest
in many cases this is not necessary howe!er because the conigs are named like
B)..+%$cm2 B*(.T+$cm2 G(1%$cm2 P1)&I.3M$cm in which case knowing which
is the astest does not reDuire a technical solution$
I the conigs do not list you will need to retrie!e your current conig an e>planation or
this can be ound in the archi!e this was distributed in$
)ter you ha!e retrie!ed the conig open it with Conig +dit and locate your community
string$ It should be a line something like this
snmpBmibBobEect 8$:$G$8$:$F:$8$@$8$?$@ A string U/HaP1F*FU6
+nter this string into '.MPCg to ind the conig names$ )ter you ha!e ound the conig
names$ /ou can set you modem to download it when it boots using the conig boot
command$ I your isp uses dynamic conigs 5each modem gets a uniDue conig7 you will
need to use the ollowing oids %ownload" 8$:$G$8$@$8$8;$8@V$8$8$:$8$=$8 or 3pload"
8$:$G$8$@$8$8;$8@V$8$8$:$8$:$8 in '.MPcg then once you ind a aster modem ind its
mac address and clone it$ &his is not diicult and there are many :
rd
party programs that
can help you with this$ *eer to the irmware command list or all unctions$
.ote that the 'B:8;; uses a dierent hacked irmware than the 'B?000 'eries all o its
unctions can be accessed by going to http"##8L@$8GF$8;;$8#tcniso$html this same
irmware can be used on the 'B?000 series but it is not recommended$ /ou can ind the
?000 images and many others here" http"##thescentolo!e$com#test
!lternate $pdate .ethod/
(pen CMirm or CM address go to http"##8L@$8GF$8;;$8 and then to addresses$ 3se your
HFC ip address$ 1ea!e community string alone or irmware ser!er enter your public ip
address$ For irmware ile select the correct update ile or your modem this will be a
$he>$bin$
I the update will not go through it is because o 8 o @ things either your irmware
!ersion is higher than 'B:8;;<:$@$8=<'CM;;<.('H+11 or the 'B:8;; or
'B?@;;#?8;;<;$?$?$@<'CM;8<.('H or the ?8;;#?@;;$
&he other is that you must disco!er your read#write community string$ Follow the conig
ile retri!al tutorial and open the conig$ Inside the conig look or a item like this"
snmpBmibBobEect 8$:$G$8$:$F:$8$@$8$?$@ A string U/HaP1F*FU6
in this case /haP1F*F is the community string$ (nce this is done run the irmware
update$
I this method still does not work because you ha!e a high irmware !ersion like ?$?$@ or
:$8$8V then use the @ modem downgrade method you can use either @ o your own
modems or you can get a person locally on the same isp to help you$
(nce the new irmware is loaded on the modem you will need to tell your modem to boot
a aster conig ile$
$ncapping using D'C) orce
'tep By 'tep
8$ Find the M)C )ddress o your cable modem this is usually ound on a sticker on the
cable modem or in the documentation which came with it$ (pen the %HCP orce
application put the modem-s mac address and use the disco!er unction$ &hen write
down the !alues that are pro!ided in the bo>es$ )nother useul place to modem
inormation or surboard is the modem-s web page which can be ound at
http"##8L@$8GF$8;;$8 While other modems may ha!e similar web pages I do not know
how to locate them$
@$ (pen the '.MPCg )dmin Program locate the ip address range near the bottom$ &hen
or the irst Q in the range put your hc ip address listed in the %HCP Force
)pplication$ For the second !alue put a address considerably higher but no to much
higher$ +0$ 8;$8?@$8$@8: <<R 8;$8?@$@==$@== is a reasonable !alue$ 8;$8?@$8$@8: <<R
@==$@==$@==$@== is not$ Play around with this application to ind a range that will best
suit you$ )ter the ino has been entered use the mass get unction to retrie!e the
conig names$ &hen press the S ne>t to the names to get a ip address list$ Put one o the
addresses rom each conig into the step 8 program to ind out which conig is the
astest in many cases this is not necessary howe!er because the conigs are named like
B)..+%$cm2 B*(.T+$cm2 G(1%$cm2 P1)&I.3M$cm in which case knowing
which is the astest does not reDuire a technical solution$ I the conigs do not list you
will need to retrie!e your current conig an e>planation or this can be ound in the
archi!e this was distributed in$ )ter you ha!e retrie!ed the conig open it with Conig
+dit and locate your community string$ +nter this string into '.MPCg to ind the
conig names and then later also modiy this parameter in %HCP Force$
:$ (pen the %HCP Force )pplication2 beore you can try to uncap you must irst disable
the media sense option$ &his can be ound under the %HCP menu$ (nce media sense is
disabled you will most likely ha!e to restart your computer$ )ter your computer is
restarted open the %HCP Force application again enter your modem-s M)C )ddress
and use the disco!er unction$ &his time ater the disco!er inishes change the conig
ile name to the name o the aster conig you ound using '.MPCg admin$ Click the
start button in %HCP Force then reboot your cable modem$ &he easiest way to do this
is to unplug it and then plug it back in$ Wait until the modem is ully booted up then
stop the %HCP Force and try to get online$ %o not reboot your modem again howe!er
because this will set your modem back to its original settings$ I all went well you
should be on at a aster speed now$
I you need help !isit the ree support orums at" http"##www$theoryshare$com
)lso at &heoryshare you will ind pre<modiied modems or sale i you do not ha!e a
surboard ?8;;#?@;; and a lashing ser!ice i you ha!e trouble or are unable to lash your
modem$
/ou can contact us at adminWtheoryshare$com
I this guide has been helpul to you please consider purchasing a product rom
&heoryshare to help keep the website running and to make it better$
&hanks or the Fibercoa> Group and the &C.I'( or sotware used in this kit$ Hackware
irmware written by JuyHa