↧
Bloodclaaat
↧
Can I flash Arris TG852G
Hi everyone I'm new to forum so please don't bash me. I was wondering is someone here can help me flash my Arris TG852G modem which has Docsis 3.0 if possible? Thank you. ![Angel]( "Angel")
↧
↧
Fake Cell Tower Cops Use To Track You
↧
Middle of nowhere ISP
Hello, Just signed up. I was reading around and saw the knoxk thread and was amazed.
Anyways, I'm on an Arris TG862G and I stumbled on to this forum because I was researching a way to simply force my ISP to change my IP. (I might just call and ask how long their leases are)
Then I saw the password of the day crap page, and I needed to get in there...well I did and it felt good lol.
Then I downloaded the SNMP cfg Admin tool and getting hits like extreme.bin, lite.bin, Node12Tower.bin, or nonpay.bin (FREE, haha just messing). Anywho, kinda wanting to taste candyland with the hopes that there really is no security in this small ass town. So I'll be reading up and maybe invest the 10 dollars or w/e on that sb forum, there really isn't much to do in this town...all work and no play kinda wants me to hack my modem...well shit, the ISP owns it...maybe I shouldn't.
Anyways, I'm on an Arris TG862G and I stumbled on to this forum because I was researching a way to simply force my ISP to change my IP. (I might just call and ask how long their leases are)
Then I saw the password of the day crap page, and I needed to get in there...well I did and it felt good lol.
Then I downloaded the SNMP cfg Admin tool and getting hits like extreme.bin, lite.bin, Node12Tower.bin, or nonpay.bin (FREE, haha just messing). Anywho, kinda wanting to taste candyland with the hopes that there really is no security in this small ass town. So I'll be reading up and maybe invest the 10 dollars or w/e on that sb forum, there really isn't much to do in this town...all work and no play kinda wants me to hack my modem...well shit, the ISP owns it...maybe I shouldn't.
↧
Location of certs in SB5101 w/ Haxorware
After searching for a month, I decided to beg for help.
Sorry if I asked something stupid.
For stock sb5101 firmware, to grab certs can be used jtag command to read cfg.bin
But I would like to know how can I grab certs with BLACKCAT JTAG from a SB5101 with haxorware installed? (without webgui and telnet access)
Are certs stored in same location after flashing haxoware fw into it?
Any replys will be greatly appreciated.
Sorry if I asked something stupid.
For stock sb5101 firmware, to grab certs can be used jtag command to read cfg.bin
Code:
-ldram 9fc000000But I would like to know how can I grab certs with BLACKCAT JTAG from a SB5101 with haxorware installed? (without webgui and telnet access)
Are certs stored in same location after flashing haxoware fw into it?
Any replys will be greatly appreciated.
↧
↧
Just Come Across This Website
Hey Guys Ive Been Doing ALOT OF Research Today , Been Here And There And Just Come Across This Website ... http://www.cmtsinfo.net/index.php .. Dont Know If Anyone Of You Have Been On It but its got ALOT OF USEFULL information on there Just Thought I Would Share It With You Lot !!
PEACE
PEACE
↧
Newbie Help (SB 5101)
Greetings to all.
The issue is that I have a modem in "stock"mode, I also have one with haxoware and I want to clone to use it in my office. The question is:
I can disable the "config file" to use the speed that has my MAC ADDRESS (because my "paid" connection is 5mb and the config file that i have is 4mb) ?
How is that done?
Thanks and sorry for my English.
The issue is that I have a modem in "stock"mode, I also have one with haxoware and I want to clone to use it in my office. The question is:
I can disable the "config file" to use the speed that has my MAC ADDRESS (because my "paid" connection is 5mb and the config file that i have is 4mb) ?
How is that done?
Thanks and sorry for my English.
↧
Change DPC2100r2 BOOTR & SW_REV
Looking for the OID's to change these two values in NonVol. (Original WebSTAR firmware, not Haxorware)
Crappy isp give you a modem and whatever firmware it came with is what it will stay with. Had a problem logging into control panel with old firmware, went away after I upgraded it.
Now I want to spoof the previous firmware's software and boot versions so its not noticed (these bellow)
Already know how to use snmp to set it to factory mode, just need the OID's to those two values
Thank you
Crappy isp give you a modem and whatever firmware it came with is what it will stay with. Had a problem logging into control panel with old firmware, went away after I upgraded it.
Now I want to spoof the previous firmware's software and boot versions so its not noticed (these bellow)
Quote:Descripcion: S-A WebSTAR DPC2100r2 Series DOCSIS Cable Modem Ethernet+USB <<HW_REV: 2.0; VENDOR: S-A; BOOTR: 2.1.6; SW_REV: v2.0.2r1244-050203; MODEL: DPC2100r2>>
Already know how to use snmp to set it to factory mode, just need the OID's to those two values
Thank you
↧
Linux Script Via Python
Hello
Can Someone Please Tell Me How I Execute And Linux Script/Command To CM Via Python Ive Been Reading On How To Do It But Cant Seem Get The Jist Of It ?
Script Start's With
# cat run_docsis
runall
Can Someone Please Tell Me How I Execute And Linux Script/Command To CM Via Python Ive Been Reading On How To Do It But Cant Seem Get The Jist Of It ?
Script Start's With
# cat run_docsis
runall
↧
↧
shell script.sh
hello im trying to execute a .sh to my modem but im getting this error
![.png]()
here.png (Size: 89.56 KB / Downloads: 12)
Could This Be Due To Me Trying It On A 280 , because something is ringing in my head say eCos = netgear i think ive read it somewhere but i cant quite remember .... Any1 Else Have Any Input Would This Work On A 2100 ? or ambit ?
here.png (Size: 89.56 KB / Downloads: 12)
Could This Be Due To Me Trying It On A 280 , because something is ringing in my head say eCos = netgear i think ive read it somewhere but i cant quite remember .... Any1 Else Have Any Input Would This Work On A 2100 ? or ambit ?
↧
Dynamic Convert
This was requested by a member here, I've never had success with it. Supposed to convert dynamic config names to something more understandable.
![.zip]()
dynamicconvert.zip (Size: 10.46 KB / Downloads: 3)
dynamicconvert.zip (Size: 10.46 KB / Downloads: 3)
↧
Scanning SNMP
I'm scanning a string where the associated docsDevNmAccessControl value = 3 but nothing comes up. I thought that was the goody string that let's you r/w. Is that because the true string is encrypted? If so, how do you decrypt it?
↧
Helpless and in need of a helpful hand - SB5101
So Ill give you a bit of backstory. - Student renting in a student house - When i was looking for a room, specifically looked for a house with high speed internet and a modem in the actual room itself to connect my PC where I make my living off of, so that is my main concern in any room. Day before I move all my stuff in, I notice one of the other house mates took the box out of my room and is now running it and the modem from the third floor, now i cant even get on wifi long enough to check my gmail ![Sad]( "Sad")
so i tried to ask the landowner,, she doesnt give a "hoot" and the housemates dont give a ish either since they can connect where their rooms are located
then i stumbled across this
http://www.ebay.com/itm/Premodded-Motoro...1c1919b51b
I thought it was god send and would solve all my problems..I now realize im a bit in over my head and cant even configure this to work for me
if anyone could assist me in this - i would forever be grateful!
if you need any details or anything just please post or PM me and I will get back as soon as I can, but usually only able to access the internet between classes in the morning or late evening since I cant access internet from my room
modem - moto sb5101
ISP - optimum
Area - New Jersey
so i tried to ask the landowner,, she doesnt give a "hoot" and the housemates dont give a ish either since they can connect where their rooms are located
then i stumbled across this
http://www.ebay.com/itm/Premodded-Motoro...1c1919b51b
I thought it was god send and would solve all my problems..I now realize im a bit in over my head and cant even configure this to work for me
if anyone could assist me in this - i would forever be grateful!
if you need any details or anything just please post or PM me and I will get back as soon as I can, but usually only able to access the internet between classes in the morning or late evening since I cant access internet from my room
modem - moto sb5101
ISP - optimum
Area - New Jersey
↧
↧
will pay for help
i have been at this for weeks and weeks and cant take it anymore lol is there someone please i can call to help me to get better speeds ive read up on certs files everything till my head hurts basically im running hax 39 with 5101 im currently online but with only 4meg speed and it constantly drops in and out ive searched for macs certs outside of my node honestly i think im right there and have the info i need just need help putting it all together i just would seriously pay someone for a blocked phone call to help walk me through this because its driving me insane lol .please if someone is willing i would appreciate it more than you would ever know.also my ip is a small place in middle of south Carolina. thanks
↧
Many questions....
Even though one might have the private string, can the ISP lock the SNMP manager so you can't scan?
I understand that the ISP can lock down the SNMP manager and only allow inquires from specific IP's and subnets. But if they don't do this, how else are they able to lock it down?
In a config file I see 4 strings, 2 public & 2 private. Two always stay the same and the other public and private seem to vary every so often. What is that about? Is the ISP implementing random strings for every modem? Another way of protecting SNMP for ISP? I've seen this before but It never interfered with my scanning.
My head is exploding...
I understand that the ISP can lock down the SNMP manager and only allow inquires from specific IP's and subnets. But if they don't do this, how else are they able to lock it down?
In a config file I see 4 strings, 2 public & 2 private. Two always stay the same and the other public and private seem to vary every so often. What is that about? Is the ISP implementing random strings for every modem? Another way of protecting SNMP for ISP? I've seen this before but It never interfered with my scanning.
My head is exploding...
↧
RCA DCM425
ok so my problem is that i logged in to the haxorware interface and i was changing the mac address and i changed the serial and now my i can get to conection or get into the modem. please help
↧
4Chan
Do any of you guys remember this guy 4chan? I believe it was cablemodemshack.com he used to be a mod in. He used to give entertaining responses. They shut the site down and so I asked him where he was and he gave me a link to SB-underground. There was nothing really going on at that site though. Anybody know what site he is on now?
↧
↧
Looking for a nudge in the right direction
Hi,
My haxorware modem went offline a couple years ago with the new cc security, and i gave up and put it away. I have been interested in getting it going lately and am looking for some advice. I am very interested in learning how it works and don't mind reading and studying DOCSIS but I'm not sure where to go. I have also switched ISPs and don't use cc anymore. Here is my telnet log:
Since my mac is not provisioned I get the unknown.bin config file which fails the CVC check.
First, my subbed modem is an Arris mg5225g which is a modem and router in one. I don't think I can scan for macs, because you're supposed to be connected directly to modem, not behind a router. I tried putting my pc in dmz and scanning but it doesn't seem to work. Is there a way to scan with my equipment, or is that the wrong approach altogether? I was thinking if I could see macs and config files on my network I could play around with those to at least get more information on the security my cmts is running.
I don't know a whole lot about snmp but it seems like that might hold a key for me? Problem is I can't get any information with the unknown.bin config file sent to my modem. I think I would at least need a community string, but where can i get that if its not in the config file?
I keep reading that I need to understand the handshake and learn how to make my cm send what the cmts is wanting to see, but I can't get past this unknown.bin problem.
I really do want to learn more about this and I like to read and understand these things (I basically taught myself c++ just from reading online), I'm just hoping someone can point me in the right direction.
My haxorware modem went offline a couple years ago with the new cc security, and i gave up and put it away. I have been interested in getting it going lately and am looking for some advice. I am very interested in learning how it works and don't mind reading and studying DOCSIS but I'm not sure where to go. I have also switched ISPs and don't use cc anymore. Here is my telnet log:
Code:
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.09.13 11:02:04 =~=~=~=~=~=~=~=~=~=~=~=
Haxorware integrated telnet daemon
Username: root
Password: ****
Welcome.
CM>
CM> DHCPc: Sending Discover packet; client id htype=1, value=00:15:9a:d9:51:64
DHCPc: Received an Offer from DHCP server XX:XX:XX:XX:XX:XX (172.29.255.121); lease client id htype=1, value=XX:XX:XX:XX:XX:XX
CM> runDHCPc: Timed out waiting for offers for lease with client id htype=1, value=XX:XX:XX:XX:XX:XX
DHCPc: Sending Request packet; client id htype=1, value=XX:XX:XX:XX:XX:XX
DHCPc: Received an Ack from DHCP server XX:XX:XX:XX:XX:XX(172.29.255.121); lease client id htype=1, value=XX:XX:XX:XX:XX:XX
Current IP address is default 0.0.0.0.
0x0000f686 [DHCP Client Thread] BcmEcosIpHalIf::ConfigureLeaseImpl: (IP Stack1 HalIf)
Configuring IP stack 1:
IP Address = 10.137.232.220 (primary IP address)
Subnet Mask = 255.255.248.0
Router = 10.137.232.1
IsPrimaryInterface = 1
Logging event: DHCP WARNING - Non-critical field invalid in response.
0x0000f6ae [DHCP Server Thread] BcmDhcpServerThread::ThreadMain: (DHCP Server Thread) Callback request expired:
timerDuration secs = 1
current time secs = 63
elapsed time secs = 1
ARPing for default GW IP = 10.137.232.1
MAC = 00:01:5c:69:de:46
DHCP completed successfully!
DHCP Settings:
Client Id = htype=1, value=XX:XX:XX:XX:XX:XX
State = Renewing (5)
Static Lease = 0
AutoConfig Mode = IP, Subnet and Router
XID = 0x7a7fe81e
Number of Tries = 0
Max Discover Tries = 6
Max Request Tries = 6
DHCP server MAC addr = 00:01:5c:69:de:46
Ignore NAKs = 0
My offered IP address = 10.137.232.220 (primary IP address)
(1) Subnet Mask = 255.255.248.0
(3) Router IP address = 10.137.232.1
(54) DHCP Server IP address = 172.31.15.244
(82) Relay Agent IP address = 172.29.255.121
TFTP Server IP address = 172.31.15.244
CM Configuration file = 'unknown.bin'
(2) UTC Time Offset = -28000 seconds
(4) Time Server IP address = 172.31.15.244
(6) Domain Name Server = 172.31.15.162; 172.31.15.244
(7) Log Server IP address = 0.0.0.0
(51) Lease time = 604800 seconds
(58) T1 (renew) = 302400 seconds
(59) T2 (rebind) = 529200 seconds
Lease is infinite = 0
CmSnmpAgent::IpAddressAcquiredEvent for SB5102 CM Agent w/ BRCM Factory Support
IP addr = 10.137.232.220
Starting Time Of Day...
0x0000f71c [CmDocsisIpThread] BcmDocsisTimeOfDayThread::SetTodServerIpAddress: (Time Of Day Thread) ToD servers: 172.31.15.244
Connecting to ToD server 172.31.15.244...
Sending UDP ToD request to server...
Not logging event ID 2291949724, control for level 7 is 0.
UTC returned by ToD server 3619609332; UTC offset -28000
Current system time -> Sat Sep 13 07:15:32 2014
System start time -> Sat Sep 13 07:14:29 2014
Starting Tftp of configuration file...
Opening file 'unknown.bin' on 172.31.15.244 for reading...
Resuming SNMP Thread
tftp-enforce bypass is DISABLED
SB5102 CM Agent w/ BRCM Factory Support IpStackEvent: Ip=10.137.232.220, Subnet=255.255.248.0, Gateway=10.137.232.1
Ip addr is the same, not rebinding.
SB5102 CM Agent w/ BRCM Factory Support IpStackEvent: Ip=10.137.232.220, Subnet=255.255.248.0, Gateway=10.137.232.1
Ip addr is the same, not rebinding.
Storing received cfg of size 1108 to memory
Tftp read < 512 bytes, we have reached end of file.
Tftp transfer complete!
TFTP Settings:
Stack Interface = 1
Server Ip Address = 172.31.15.244
Server Port Number = 32794
Total Blocks Read = 3
Total Bytes Read = 1108
Config file was read! IP Initialization completed...
MAX CPE per CM is being set to 32
TLV-11[1]: 1.3.6.1.2.1.69.1.2.1.4.1 -> public
TLV-11[2]: 1.3.6.1.2.1.69.1.2.1.5.1 -> 3 (i32)
TLV-11[3]: 1.3.6.1.2.1.69.1.2.1.6.1 -> HEX:40 00
TLV-11[4]: 1.3.6.1.2.1.69.1.2.1.7.1 -> 4 (i32)
Time Of Day completed...
DefaultSnmpAgentClass::SystemTimeChangeEvent for SB5102 CM Agent w/ BRCM Factory Support
Not logging event ID 2291949524, control for level 7 is 0.
Not logging event ID 2291949324, control for level 7 is 0.
SB5102 CM Agent w/ BRCM Factory Support processing TLV-11's
SNMP packet sent to 10.137.232.220:225
4 TLV-11's OK.
Sending a REG-REQ to the CMTS...
Received a REG-RSP message from the CMTS...
0x0000f942 [CmDocsisCtlThread] BcmCmDocsisCtlThread::RegRspMsgEvent: (CmDocsisCtlThread) We registered with a DOCSIS 1.0 config file!
Adding DOCSIS 1.0 CoS Settings for SID 0xaf8
Class Of Service Settings:
SID = 0xaf8
Max Us Burst = 3044 bytes
Max Us Rate = 131072 bits per second
Max Bucket size = 24288 bits
Bits In Bucket = 24288
Last Bucket Update Time = 64810 ms
Last Bucket Flush Time = 64810 ms
Packet Delay Time = 0 ms
Global CONCAT has been disabled for all upstream queues (either from NonVol settings or CMTS override).
Fragmentation is ENABLED in DOCSIS 1.0 mode!
0x0000f94c [CmDocsisCtlThread] BcmCmDocsisCtlThread::TestAndApplyRegAckHack: (CmDocsisCtlThread) DOCSIS 1.0 reg on us phy type 3 channel. --> perform REG-ACK hack!
Registration complete!
Process CVC
CmDownloadMatchBuffer - length comparison failed
0x0000f9a6 [CmDocsisCtlThread] CmSecureDownload::ProcessConfigFileSpecifiedCvc: (Secure Software Download) ERROR - Config File manufacturer CVC Subject organizationName does not match the CM's manufacturer name.
0x0000f9a6 [CmDocsisCtlThread] CmSecureDownload::ProcessConfigFileManufAndCosignerCvcs: (Secure Software Download) ERROR - Reject config file MFG CVC!
0x0000f9a6 [CmDocsisCtlThread] BcmCmDocsisCtlThread::ProcessCVC: (CmDocsisCtlThread) ERROR - Config file does not include a valid CVC!
DOCSIS CoS/QoS rate shaping enable is now 1
CmSnmpAgent::CmOperationalEvent for SB5102 CM Agent w/ BRCM Factory Support
CmSnmpAgent operating in 1.0 mode, including docsBpi, excluding docsQos
+++ No DH kickstart profiles or snmpCommunityTable entries installed.
We will operate in NMACCESS mode.
SB5102 CM Agent w/ BRCM Factory Support setting V1/V2 view to docsisNmAccessView
SB5102 CPE Agent w/ BRCM Factory Support setting V1/V2 view to docsisNmAccessView
0x0000f9a6 [CmDocsisCtlThread] BcmCmDocsisCtlThread::TestAndLaunchBpkm: (CmDocsisCtlThread) BPKM disabled via provisioned config file setting.
Enabling network access for all CPE ports.
mot_scanList: Writing to Flash!
0x0000f9e2 [CmDocsisCtlThread] BcmDocsisCmHalIf::ConfigOperational: (DOCSIS CableModem HalIf) Running IGMP in DOCSIS 1.0 mode!
BcmCmDocsisStatusEventCodes::kCmIsOperational
Suspending SNMP Thread
0x0000f9ec [CmDocsisCtlThread] BcmVendorCmApplication::StopDhcpServer: (VendorExtension CmApp) Shutting down DHCP Server...
0x0000f9ec [CmDocsisCtlThread] BcmStandbySwitchThread::CmIsOperational: (Motorola Standby Switch Thread) Simulating a press of the standby switch to get the state configured properly.
0x0000f9f6 [IGMP Thread] BcmIgmpThread::Starting Igmp Thread...: (IGMP Thread)
0x0000fa00 [Motorola Standby Switch Thread] BcmStandbySwitchThread::ThreadMain: (Motorola Standby Switch Thread) Standby switch was pressed!
0x0000fa00 [Motorola Standby Switch Thread] BcmStandbySwitchThread::ProcessSwitchEvent: (Motorola Standby Switch Thread) Standby switch disabled in nonvol; ignoring event.
Logging event: Improper Configuration File CVC Format
SB5102 CM Event Log w/ BRCM Factory Support sending deferred async messages...
Done w/ deferred msgs
Not logging event ID 2296948624, control for level 7 is 0.
CM>Since my mac is not provisioned I get the unknown.bin config file which fails the CVC check.
First, my subbed modem is an Arris mg5225g which is a modem and router in one. I don't think I can scan for macs, because you're supposed to be connected directly to modem, not behind a router. I tried putting my pc in dmz and scanning but it doesn't seem to work. Is there a way to scan with my equipment, or is that the wrong approach altogether? I was thinking if I could see macs and config files on my network I could play around with those to at least get more information on the security my cmts is running.
I don't know a whole lot about snmp but it seems like that might hold a key for me? Problem is I can't get any information with the unknown.bin config file sent to my modem. I think I would at least need a community string, but where can i get that if its not in the config file?
I keep reading that I need to understand the handshake and learn how to make my cm send what the cmts is wanting to see, but I can't get past this unknown.bin problem.
I really do want to learn more about this and I like to read and understand these things (I basically taught myself c++ just from reading online), I'm just hoping someone can point me in the right direction.
↧
sbg6580 full virgin dump needed
hey whats up to whomever reads this, im trying to restore my sbg6580 to its original state. i'd like to get the wifi and modem side back to complete stock. if anyone has a backup file please pm me.
↧
Just dumped a Arris TG862A, what next?
Hi there! I'm very new to cable modem hacking. I just made a dump of the SPI flash inside a TG862A. Using binwalk and the firmware-mod-kit, I managed to extract the two filesystems. I also tried to modify /etc/passwd and point the root shell to /bin/sh, but of course it didn't work...
What's the next step? I got the full image, should I upload it somewhere?
Cheers
Ciaby![Big Grin]( "Big Grin")
What's the next step? I got the full image, should I upload it somewhere?
Cheers
Ciaby
↧