Quantcast
Channel: Haxorware Forums - All Forums
Viewing all 4466 articles
Browse latest View live

Discovered an alien !

July 3, 2015, 7:22 am
$
0
0
I tell you, in this forum our friend named @Ziricom is not just a mere human. he's definitely an alien, he just knows too much.

How could he remember so many things! I wonder ! Dodgy Shy
I have been reading his threads from the day I joined this forum.

He is among the people who actively contribute to this forum. Really appreciate that he puts his time for this.
I wish i could learn even more.
Search

Virgin media mac sniff

July 3, 2015, 11:09 am
$
0
0
Hi, I have been trying to 'sniff' for a mac for my modem I cannot find any atall just shows all blanks ? can anyone help

TWC Config File

July 5, 2015, 9:32 pm
$
0
0
Would anyone have a TWC config file that runs above 15 meg. It has been satisfactory lately but I feel that I can get better in my area. Any help would be appreciated.

Interesting:

July 6, 2015, 4:42 am
$
0
0
Sent a priv msg to one person re: my site address that is yet to be published.. 3 people visit at same time.. the only one I sent it to, would take longer to let other's know, despite being asked not to, and I'm sure he did not..

So what is the difference between asking for help in forum's and priv msg?

Cause it's a pain in the ass reading begging msg's when it can be done in forum.

And those ip's who visited are geotagged by isp's, and perm banned, sorry Wink

Calgary man soars over city in lawn chair attached to helium balloons.

July 6, 2015, 12:54 pm

i need help pls (puerto rico) this is my log

July 6, 2015, 8:55 pm
$
0
0
d1.1 sb5101
i can't force my config like before and the ip doesn't work 2 even the spoof somebody can hit me a liitle tip pls...
----------------------------------------

2015-07-06 22:59:57 Notice M572.0 Neg Or Bad Reg Rsp - Reinitialize MAC...
2015-07-06 22:59:57 Notice I401.0 TLV-11 - unrecognized OID
2015-07-06 22:59:55 Critical D003.0 DHCP WARNING - Non-critical field invalid in response.
2015-07-06 22:59:46 Critical R002.0 No Ranging Response received - T3 time-out (US 1)
2015-07-06 22:59:18 Critical T001.0 SYNC Timing Synchronization failure - Failed to acquire QAM/QPSK symbol timing
2015-07-06 22:59:17 Notice M572.0 Neg Or Bad Reg Rsp - Reinitialize MAC...
2015-07-06 22:59:17 Notice I401.0 TLV-11 - unrecognized OID
2015-07-06 22:59:15 Critical D003.0 DHCP WARNING - Non-critical field invalid in response.
2015-07-06 22:59:15 Critical D002.0 DHCP FAILED - Request sent, No response
2015-07-06 22:59:09 Critical D001.0 DHCP FAILED - Discover sent, no offer received
2015-07-06 22:59:03 Critical R002.0 No Ranging Response received - T3 time-out (US 2)
2015-07-06 22:58:35 Critical T001.0 SYNC Timing Synchronization failure - Failed to acquire QAM/QPSK symbol timing
2015-07-06 22:58:34 Notice M572.0 Neg Or Bad Reg Rsp - Reinitialize MAC...
2015-07-06 22:58:34 Notice I401.0 TLV-11 - unrecognized OID
2015-07-06 22:58:32 Critical D003.0 DHCP WARNING - Non-critical field invalid in response.
2015-07-06 22:58:31 Notice M571.4 Ethernet link dormant - not currently active
2015-07-06 22:58:24 Critical R002.0 No Ranging Response received - T3 time-out (US 2)

Some guidance needed

July 10, 2015, 3:05 pm
$
0
0
Ok so i used fastcert to get some CRT. Now I'm trying to convert them so i can load them via hax0 but certtxt errors out so i tried using buzzcert and it wont give me an output neither. How can i convert the text file fastcert gave me?

I'm back!!

July 10, 2015, 10:57 pm
$
0
0
After having been gone on the road working and such I havnt had must time to get online and test but I have a few questions I've been wanting to get back into and thought there was more to this forum than there is... Is there a vip section for like donations and also i thought there was a isp forum I'm on Armstrong and thier in the process of upgrading to docsis 3 they just shipped new modem today as my 5100 is still running strong sorry if this is like all over the place but like I said I'm back home for awhile and wanna get back into the swing of testing Thanks all and I'm glad to be part of the awesome forum

Wow all my post are gone too.. I look like a newbie now?
Search

xml for arris

July 12, 2015, 5:40 pm
$
0
0
Does anyone have the xml for 822 or 862. On the NT?

HELP WITH ARRIS CERTS

July 13, 2015, 5:11 pm
$
0
0
hi everyone i have the webstar modem modded and i want to use it to clone a sub modem but the sub modem we have here is arris and i find it difficult to clone.if i am corrected i think i need certs. please recommend me how to go about cloning the arris modem.

TWC Config

July 14, 2015, 11:37 am
$
0
0
Hello all,

Can someone send me a TWC config please. Also any docs on exporting certs from a SB6121 to SB6120 if we still need to or is it easier to just call and have them update my modem on my account to the new premod HFC mac and go from there??

Any input quick how to's on phasing out an active SB6121 on TWC and replacing with a premod SB6120 would be awesome and well appreciated! Wink

Thanks!!

Cisco UBR CMTS Clone Detection

July 1, 2015, 6:19 am
$
0
0
Today I would like to talk about how would one bypass Clone Detection on a Cisco UBR out of the blue for no reason at all. I have been reading up on them lately, it seems as though there are still a few minor holes in the UBR CMTS systems from what i have read anyway. For example: The Cisco CMTS router does not attempt to distinguish between two cable modems if the provisioning system does not provide a DOCSIS configuration file specifying BPI+ be enabled.

So, Correct me if I am wrong here BUT if the config file was to be edited so as to not specify BPI+ to be enabled then that would mean of course (in my mind), Yes! the CMTS well not "TRY" distinguish the legitimate modem from the clone which means you can reboot the sub modem provided you have SNMP access still and then put your clone online without issue, except for one. Yeah what about that sub modem that wont come online now do to the CMTS rejecting it because of the fact that the Cable Duplicate MAC Address Reject feature is enabled by default on the Cisco UBR???? This would not be a problem if it was not for the fact this feature creates a new log message, which appears in the system log by default, or you know, the simple fact the customer is gonna call the ISP now and tell them they have no internet. So how do we bypass this aspect of the security to allow both modems online? well Cisco says "the log message provides the cable interface and MAC address of the cable modem attempting to register when another physical modem with that same MAC address is already in a state of online(p_) elsewhere on the Cisco CMTS router." so it is possible to get on with a clone from another CMTS? or No? DOCSIS clones can’t exist on the same CMTS. They can, however, exist on dif­ferent CMTSs as per my ISP is configured at the current moment with Arris C4's so would this mean that you can get online provided you connect to another CMTS but are still using the same provisional server so as to pickup the proper config??? someone please enlighten me as to if I am on the right, or wrong, course of thinking here. How do they span clone detection across multiple Cisco UBR CMTS's? I could not find any documentation about it through Cisco. Secret? Maybe. Not Possible? Possibility. anyway yeah I probably got some shit wrong here because A: Been up sense 11:00 Last night and B: never looked into clone detection very heavily before let along look into anything about Cisco CMTS systems, I Have only ever Dealt with the Shitty Arris C4's and older.

I assume Canis is gonna weigh in here as he usually would Tongue

I think I broke my surfboard

July 19, 2015, 5:22 pm
$
0
0
First, TWC did something to my cable (I think) and I wasn't aloud to surf using chrome or connect to xbox live. Curious enough I opened tor and browsing worked. Trying to find a solution I stumbled upon this site and read a users comment saying to change to hfg MAC address. Doing this did not work and also did not let me change back to my previous address. Now I can't use my sb and am typing on my phone. If anybody can give me a solution that would be greatly appreciated.
"Previous certificate was self signed, backup not performed"
Sb5101 /version 1.1 rev 39

No longer able to force configs TWC

July 22, 2015, 3:22 pm
$
0
0
Well it looks like the hammer has finally fallen, Forcing configs is a thing of the past here in my area of so cal with TWC. Im surprised it took this long, not to worry, there are still ways, but that was just too damn easy! All good things must come to an end! Now the real party begins.

Was the site down?

July 22, 2015, 6:27 pm
$
0
0
Couldnt get on here or ping the forums for a good 4 hours, anyone know WTF Happened? did the defibrillator have to be brought in again?
Search

sb5101, 1 issue (constant reboots) and 1 question (Force Config File)

July 24, 2015, 11:40 pm
$
0
0
Hi and thanks in advance for any information.

I have a 5101 modem with haxor 1.1 r39, my ISP uses BPI+ 1.1.

I had my modem working without issues or reboots for a while my configs were not encripted and i was able to force the config file directly in to haxorware to uncap my current speed, also i have a few certz wich they worked (4 lights on CM) but they had no speed or arround 52kb, however i was able to force the config file to get my desired speed on those certz (i wasnt able to edit the config file cuz they where password protected), now recently got new security in my area and my configs are encripted now, im still able to download them and read them but i havent been able to force them, i got on haxor log:
Neg Or Bad Reg Rsp - Reinitialize MAC...
modem restarts over and over, my first question is:
Can someone tell me what to do to be able to force again my configs? (it is possible?) someting i could read or some pointers that i can get?, ty.

.. so well, when that happend i went over my Certz with speed and CM connects without issues... BUT... since that day my modem gets rebooted every 20 mins or so, mostly in the afternoons, is really random but not at nights not a single time, this for me is sooooo weird and confusing Huh, on haxor event log i get:

Notice M573.0 Modem Is Shutting Down and Rebooting...
Critical R004.0 Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out

...so i went to telnet and i got this: "Bandwidth request failure! Status = 0"

Here is the telnet log:

-----------------------------------------

Haxorware integrated telnet daemon

Username: root
Password: *****
Welcome.

CM>
CM> run
CM>
CM> run_app


Running the system...

BcmCmDocsisStatusEventCodes::kCmIsNotOperational
CamDeleteAddress: Deleted address from cam segment 0

CM> Non-Vol Settings successfully written to the device.

@@@@@ In ResetRngState, fRemainingInitRngPowerSteps 17

mot_scanList: Setting override freq @ 7000000
Scanning DS Channel at 7000000 Hz... (Initial target freq)

mot_scanList: Setting override freq @ 0
Go back to 1st favorite
Attempting Downstream FEC lock @ freq= 501000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 507000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 513000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 519000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 525000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 531000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 537000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 543000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 549000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 555000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 561000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 567000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 573000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 579000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 585000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 591000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 597000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 603000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 609000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 615000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 621000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 627000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 633000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 639000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 645000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 651000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 657000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 663000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 669000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 675000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 681000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 687000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 693000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 699000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 705000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 711000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 717000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 723000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 729000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 735000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 741000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 747000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 753000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 759000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 765000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 771000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 777000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 783000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 789000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 795000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 801000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 807000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 813000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 819000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 825000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 831000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 837000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 843000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 849000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 855000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 93000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 99000000 Hz, QAM64
Attempting Downstream FEC lock @ freq= 105000000 Hz, QAM64
Favorite[0].freq = 129000000
Attempting Downstream FEC lock @ freq= 129000000 Hz, QAM64/256

******************************************
DOWNSTREAM STATUS
******************************************
Tuner Frequency = 129000000 Hz
Carrier Offset = 1 Hz
Symbol rate = 5360537 sym/sec
SNR = 36 dB
QAM Mode = QAM256
Tuner AGC = 0xfff00000
IF AGC = 0x15171312
Power Level = 1 dB
QAM = LOCKED
FEC = LOCKED
******************************************


CM> Selecting UCD for Us Channel 3


RNG-RSP Adj: tim=2441 power=0 freq=0 Stat=Continue

RNG-RSP Adj: tim=0 power=0 freq=0 Stat=Continue

RNG-RSP Adj: tim=0 power=0 freq=0 Stat=Continue

RNG-RSP Adj: tim=0 power=0 freq=0 Stat=Continue

RNG-RSP Adj: tim=0 power=0 freq=0 Stat=Success

******************************************
UPSTREAM STATUS
******************************************
Upstream Status = UP
Upstream Channel = 3
Upstream Frequency = 37000000 Hz
Upstream Power = 45 dBmV
Ranging SID = 0x1b67
Upstream Symbol Rate = 2560000 sym/sec
******************************************

Starting IP Initialization with DHCP...

CM> ARPing for default GW IP = 10.112.64.1
MAC = 50:57:a8:89:bcBig Grin9
DHCP completed successfully!
DHCP: IP address = 10.112.74.241

Starting Time Of Day...
SNMP Agent Binding to 10.112.74.241:225
Current system time -> Fri Jul 24 05:52:08 2015

System start time -> Fri Jul 24 01:36:43 2015

Starting Tftp of configuration file...
tftp-enforce bypass is DISABLED
Storing received cfg of size 460 to memory
Motorola vendor ID
TLV-11[1]: 1.3.6.1.2.1.69.1.3.3.0 -> 2 (i32)
TLV-11[2]: 1.3.6.1.2.1.69.1.2.1.2.7 -> 10.0.0.0
TLV-11[3]: 1.3.6.1.2.1.69.1.2.1.3.7 -> 255.0.0.0
TLV-11[4]: 1.3.6.1.2.1.69.1.2.1.4.7 -> public
TLV-11[5]: 1.3.6.1.2.1.69.1.2.1.5.7 -> 2 (i32)
TLV-11[6]: 1.3.6.1.2.1.69.1.2.1.6.7 -> @
TLV-11[7]: 1.3.6.1.2.1.69.1.2.1.7.7 -> 4 (i32)
TLV-11[8]: 1.3.6.1.2.1.69.1.2.1.2.8 -> 10.0.0.0
TLV-11[9]: 1.3.6.1.2.1.69.1.2.1.3.8 -> 255.0.0.0
TLV-11[10]: 1.3.6.1.2.1.69.1.2.1.4.8 -> private
TLV-11[11]: 1.3.6.1.2.1.69.1.2.1.5.8 -> 3 (i32)
TLV-11[12]: 1.3.6.1.2.1.69.1.2.1.6.8 -> @
TLV-11[13]: 1.3.6.1.2.1.69.1.2.1.7.8 -> 4 (i32)
Time Of Day completed...
SB5101 CM Agent w/ BRCM Factory Support processing TLV-11's
SNMP packet sent to 10.112.74.241:225
13 TLV-11's OK.
BPI initialization completed. Calling ConfigOperational().
Enabling network access for all CPE ports.

mot_scanList: Writing to Flash!
BcmCmDocsisStatusEventCodes::kCmIsOperational
Bandwidth request failure! Status = 0
Bandwidth request failure! Status = 0
Bandwidth request failure! Status = 0
Bandwidth request failure! Status = 0
Bandwidth request failure! Status = 0
Bandwidth request failure! Status = 0
Bandwidth request failure! Status = 0
Bandwidth request failure! Status = 0
Bandwidth request failure! Status = 0
Bandwidth request failure! Status = 0
Bandwidth request failure! Status = 0
Bandwidth request failure! Status = 0
Bandwidth request failure! Status = 0
Bandwidth request failure! Status = 0
Bandwidth request failure! Status = 0
Bandwidth request failure! Status = 0
Bandwidth request failure! Status = 0
Bandwidth request failure! Status = 0
Bandwidth request failure! Status = 0
Bandwidth request failure! Status = 0
Bandwidth request failure! Status = 0
Bandwidth request failure! Status = 0
Bandwidth request failure! Status = 0
Bandwidth request failure! Status = 0
Bandwidth request failure! Status = 0
Bandwidth request failure! Status = 0
Bandwidth request failure! Status = 0
Bandwidth request failure! Status = 0
Bandwidth request failure! Status = 0
Sending syslog message from IF 1 to 127.0.0.1:
<133> CABLEMODEM [Motorola Corporation]: <2300955924> Modem Is Shutting Down and Rebooting...
Bandwidth request failure! Status = 0

----------------------LOG ENDS---------------------------------

I will be more than happy if someone could share his knowledge with me, i can provide you with anything you might need, i have some info on my hands but nothing have worked so far...

Thanks.

CMImageTool

July 26, 2015, 5:21 am
$
0
0
Someone wanna send me a copy of CMImageTool. Thanks

What's your modems wireless default passphrase ?

July 26, 2015, 9:53 pm
$
0
0
Hello all!, I recently have been doing some (what i consider) fun research with cable modems, not directly attacking them physically, but some minor 802.11 security research.

I've recently found out that most ISP modems wireless default passphrases are vulnerable to a 4 character keyspace attack. Which isn't anything new at all.

In fact here are some of the samples i've collected:

BSSID: 68:94:23
ESSID: DDW3611A2
KEY: DDW3611B92FA2

BSSID: E4Big Grin5:3D
ESSID: U10C02285
KEY: U10C022607E85

BSSID: 00:1DBig Grin3
ESSID: DG860A42
KEY: DG860A862B42

BSSID: 00:1DBig Grin2
ESSID: TG862G42
KEY: TG862GBF5142

BSSID: 8C:04:FF
ESSID: DWG87518
KEY: DWG875F9AC18

BSSID: 9CBig Grin2:1E
ESSID: DDW3658B
KEY: DDW365F54C8B

BSSID: 1C:C6:3C
ESSID: SBG6580A2
KEY: SBG6580E630A2

and obviously enough i've made a PoC to automatically facilitate the generation of these default keys.

The currently Supported cable modem models for the PoC are:

1. U10C022
2. SBG6580
3. DDW3611
4. DDW3612
5. DDW365
6. TG852G
7. TG862G

These are some of the modem models i'm actively hunting for:

1. DVW3201B
2. SBG6782-AC
3. SB6141
4. SBG6400
5. SB5101
6. SBG901

If anyone would like to contribute to said research, please post a reply with the following

1. A picture of your cable modems security label.

i.e:
https://i.imgur.com/LRQ7EnY.jpg - MOTOROLA-XXXX

Note: Once the default key generator gets a few more entries, i'll release it via this thread.

For those who contribute, thanks in advance!

Default ISP Technician Modem login credentials

July 26, 2015, 10:30 pm
$
0
0
Nothing special here just wanted to provide people with the default Technician credentials that ISPs use to do things to your modems with.

Time Warner Cable:
MODEL: DWG875
TYPE: ThomsonAP
USERNAME: technician
PASSWORD: T1meWarner!23
NOTE: MAC may state that AP is Technicolor vendor. (The cake is a lie!)
--------------------------------------------------------------------------------------------------------------------------------------
Time Warner Cable:
MODEL: DDW365
TYPE: UbeeAP
USERNAME: 30F54C8B
PASSOWRD: c0nf1gur3m3
NOTE: (That username is not the standard default!), this is based on the last 4 octets of your cable modems mac address. I.E. XX:XX:30:F5:4C:8B

If anyone would like to contribute, replay with an attachment of your cable modems backup DefaultGatewaySettings.bin file.

As i obtain more DefaultGatewaySettings.bin files, this thread will be updated accordingly.

For those who contribute, thanks in advance!

hack a comcast Cisco SB3 modem?

July 1, 2015, 11:49 pm
$
0
0
I wanna hack the modem so i can change my mac to change my ip, since nothing else ever works
Viewing all 4466 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>