Hi,
My haxorware modem went offline a couple years ago with the new cc security, and i gave up and put it away. I have been interested in getting it going lately and am looking for some advice. I am very interested in learning how it works and don't mind reading and studying DOCSIS but I'm not sure where to go. I have also switched ISPs and don't use cc anymore. Here is my telnet log:
Since my mac is not provisioned I get the unknown.bin config file which fails the CVC check.
First, my subbed modem is an Arris mg5225g which is a modem and router in one. I don't think I can scan for macs, because you're supposed to be connected directly to modem, not behind a router. I tried putting my pc in dmz and scanning but it doesn't seem to work. Is there a way to scan with my equipment, or is that the wrong approach altogether? I was thinking if I could see macs and config files on my network I could play around with those to at least get more information on the security my cmts is running.
I don't know a whole lot about snmp but it seems like that might hold a key for me? Problem is I can't get any information with the unknown.bin config file sent to my modem. I think I would at least need a community string, but where can i get that if its not in the config file?
I keep reading that I need to understand the handshake and learn how to make my cm send what the cmts is wanting to see, but I can't get past this unknown.bin problem.
I really do want to learn more about this and I like to read and understand these things (I basically taught myself c++ just from reading online), I'm just hoping someone can point me in the right direction.
My haxorware modem went offline a couple years ago with the new cc security, and i gave up and put it away. I have been interested in getting it going lately and am looking for some advice. I am very interested in learning how it works and don't mind reading and studying DOCSIS but I'm not sure where to go. I have also switched ISPs and don't use cc anymore. Here is my telnet log:
Code:
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.09.13 11:02:04 =~=~=~=~=~=~=~=~=~=~=~=
Haxorware integrated telnet daemon
Username: root
Password: ****
Welcome.
CM>
CM> DHCPc: Sending Discover packet; client id htype=1, value=00:15:9a:d9:51:64
DHCPc: Received an Offer from DHCP server XX:XX:XX:XX:XX:XX (172.29.255.121); lease client id htype=1, value=XX:XX:XX:XX:XX:XX
CM> runDHCPc: Timed out waiting for offers for lease with client id htype=1, value=XX:XX:XX:XX:XX:XX
DHCPc: Sending Request packet; client id htype=1, value=XX:XX:XX:XX:XX:XX
DHCPc: Received an Ack from DHCP server XX:XX:XX:XX:XX:XX(172.29.255.121); lease client id htype=1, value=XX:XX:XX:XX:XX:XX
Current IP address is default 0.0.0.0.
0x0000f686 [DHCP Client Thread] BcmEcosIpHalIf::ConfigureLeaseImpl: (IP Stack1 HalIf)
Configuring IP stack 1:
IP Address = 10.137.232.220 (primary IP address)
Subnet Mask = 255.255.248.0
Router = 10.137.232.1
IsPrimaryInterface = 1
Logging event: DHCP WARNING - Non-critical field invalid in response.
0x0000f6ae [DHCP Server Thread] BcmDhcpServerThread::ThreadMain: (DHCP Server Thread) Callback request expired:
timerDuration secs = 1
current time secs = 63
elapsed time secs = 1
ARPing for default GW IP = 10.137.232.1
MAC = 00:01:5c:69:de:46
DHCP completed successfully!
DHCP Settings:
Client Id = htype=1, value=XX:XX:XX:XX:XX:XX
State = Renewing (5)
Static Lease = 0
AutoConfig Mode = IP, Subnet and Router
XID = 0x7a7fe81e
Number of Tries = 0
Max Discover Tries = 6
Max Request Tries = 6
DHCP server MAC addr = 00:01:5c:69:de:46
Ignore NAKs = 0
My offered IP address = 10.137.232.220 (primary IP address)
(1) Subnet Mask = 255.255.248.0
(3) Router IP address = 10.137.232.1
(54) DHCP Server IP address = 172.31.15.244
(82) Relay Agent IP address = 172.29.255.121
TFTP Server IP address = 172.31.15.244
CM Configuration file = 'unknown.bin'
(2) UTC Time Offset = -28000 seconds
(4) Time Server IP address = 172.31.15.244
(6) Domain Name Server = 172.31.15.162; 172.31.15.244
(7) Log Server IP address = 0.0.0.0
(51) Lease time = 604800 seconds
(58) T1 (renew) = 302400 seconds
(59) T2 (rebind) = 529200 seconds
Lease is infinite = 0
CmSnmpAgent::IpAddressAcquiredEvent for SB5102 CM Agent w/ BRCM Factory Support
IP addr = 10.137.232.220
Starting Time Of Day...
0x0000f71c [CmDocsisIpThread] BcmDocsisTimeOfDayThread::SetTodServerIpAddress: (Time Of Day Thread) ToD servers: 172.31.15.244
Connecting to ToD server 172.31.15.244...
Sending UDP ToD request to server...
Not logging event ID 2291949724, control for level 7 is 0.
UTC returned by ToD server 3619609332; UTC offset -28000
Current system time -> Sat Sep 13 07:15:32 2014
System start time -> Sat Sep 13 07:14:29 2014
Starting Tftp of configuration file...
Opening file 'unknown.bin' on 172.31.15.244 for reading...
Resuming SNMP Thread
tftp-enforce bypass is DISABLED
SB5102 CM Agent w/ BRCM Factory Support IpStackEvent: Ip=10.137.232.220, Subnet=255.255.248.0, Gateway=10.137.232.1
Ip addr is the same, not rebinding.
SB5102 CM Agent w/ BRCM Factory Support IpStackEvent: Ip=10.137.232.220, Subnet=255.255.248.0, Gateway=10.137.232.1
Ip addr is the same, not rebinding.
Storing received cfg of size 1108 to memory
Tftp read < 512 bytes, we have reached end of file.
Tftp transfer complete!
TFTP Settings:
Stack Interface = 1
Server Ip Address = 172.31.15.244
Server Port Number = 32794
Total Blocks Read = 3
Total Bytes Read = 1108
Config file was read! IP Initialization completed...
MAX CPE per CM is being set to 32
TLV-11[1]: 1.3.6.1.2.1.69.1.2.1.4.1 -> public
TLV-11[2]: 1.3.6.1.2.1.69.1.2.1.5.1 -> 3 (i32)
TLV-11[3]: 1.3.6.1.2.1.69.1.2.1.6.1 -> HEX:40 00
TLV-11[4]: 1.3.6.1.2.1.69.1.2.1.7.1 -> 4 (i32)
Time Of Day completed...
DefaultSnmpAgentClass::SystemTimeChangeEvent for SB5102 CM Agent w/ BRCM Factory Support
Not logging event ID 2291949524, control for level 7 is 0.
Not logging event ID 2291949324, control for level 7 is 0.
SB5102 CM Agent w/ BRCM Factory Support processing TLV-11's
SNMP packet sent to 10.137.232.220:225
4 TLV-11's OK.
Sending a REG-REQ to the CMTS...
Received a REG-RSP message from the CMTS...
0x0000f942 [CmDocsisCtlThread] BcmCmDocsisCtlThread::RegRspMsgEvent: (CmDocsisCtlThread) We registered with a DOCSIS 1.0 config file!
Adding DOCSIS 1.0 CoS Settings for SID 0xaf8
Class Of Service Settings:
SID = 0xaf8
Max Us Burst = 3044 bytes
Max Us Rate = 131072 bits per second
Max Bucket size = 24288 bits
Bits In Bucket = 24288
Last Bucket Update Time = 64810 ms
Last Bucket Flush Time = 64810 ms
Packet Delay Time = 0 ms
Global CONCAT has been disabled for all upstream queues (either from NonVol settings or CMTS override).
Fragmentation is ENABLED in DOCSIS 1.0 mode!
0x0000f94c [CmDocsisCtlThread] BcmCmDocsisCtlThread::TestAndApplyRegAckHack: (CmDocsisCtlThread) DOCSIS 1.0 reg on us phy type 3 channel. --> perform REG-ACK hack!
Registration complete!
Process CVC
CmDownloadMatchBuffer - length comparison failed
0x0000f9a6 [CmDocsisCtlThread] CmSecureDownload::ProcessConfigFileSpecifiedCvc: (Secure Software Download) ERROR - Config File manufacturer CVC Subject organizationName does not match the CM's manufacturer name.
0x0000f9a6 [CmDocsisCtlThread] CmSecureDownload::ProcessConfigFileManufAndCosignerCvcs: (Secure Software Download) ERROR - Reject config file MFG CVC!
0x0000f9a6 [CmDocsisCtlThread] BcmCmDocsisCtlThread::ProcessCVC: (CmDocsisCtlThread) ERROR - Config file does not include a valid CVC!
DOCSIS CoS/QoS rate shaping enable is now 1
CmSnmpAgent::CmOperationalEvent for SB5102 CM Agent w/ BRCM Factory Support
CmSnmpAgent operating in 1.0 mode, including docsBpi, excluding docsQos
+++ No DH kickstart profiles or snmpCommunityTable entries installed.
We will operate in NMACCESS mode.
SB5102 CM Agent w/ BRCM Factory Support setting V1/V2 view to docsisNmAccessView
SB5102 CPE Agent w/ BRCM Factory Support setting V1/V2 view to docsisNmAccessView
0x0000f9a6 [CmDocsisCtlThread] BcmCmDocsisCtlThread::TestAndLaunchBpkm: (CmDocsisCtlThread) BPKM disabled via provisioned config file setting.
Enabling network access for all CPE ports.
mot_scanList: Writing to Flash!
0x0000f9e2 [CmDocsisCtlThread] BcmDocsisCmHalIf::ConfigOperational: (DOCSIS CableModem HalIf) Running IGMP in DOCSIS 1.0 mode!
BcmCmDocsisStatusEventCodes::kCmIsOperational
Suspending SNMP Thread
0x0000f9ec [CmDocsisCtlThread] BcmVendorCmApplication::StopDhcpServer: (VendorExtension CmApp) Shutting down DHCP Server...
0x0000f9ec [CmDocsisCtlThread] BcmStandbySwitchThread::CmIsOperational: (Motorola Standby Switch Thread) Simulating a press of the standby switch to get the state configured properly.
0x0000f9f6 [IGMP Thread] BcmIgmpThread::Starting Igmp Thread...: (IGMP Thread)
0x0000fa00 [Motorola Standby Switch Thread] BcmStandbySwitchThread::ThreadMain: (Motorola Standby Switch Thread) Standby switch was pressed!
0x0000fa00 [Motorola Standby Switch Thread] BcmStandbySwitchThread::ProcessSwitchEvent: (Motorola Standby Switch Thread) Standby switch disabled in nonvol; ignoring event.
Logging event: Improper Configuration File CVC Format
SB5102 CM Event Log w/ BRCM Factory Support sending deferred async messages...
Done w/ deferred msgs
Not logging event ID 2296948624, control for level 7 is 0.
CM>
Since my mac is not provisioned I get the unknown.bin config file which fails the CVC check.
First, my subbed modem is an Arris mg5225g which is a modem and router in one. I don't think I can scan for macs, because you're supposed to be connected directly to modem, not behind a router. I tried putting my pc in dmz and scanning but it doesn't seem to work. Is there a way to scan with my equipment, or is that the wrong approach altogether? I was thinking if I could see macs and config files on my network I could play around with those to at least get more information on the security my cmts is running.
I don't know a whole lot about snmp but it seems like that might hold a key for me? Problem is I can't get any information with the unknown.bin config file sent to my modem. I think I would at least need a community string, but where can i get that if its not in the config file?
I keep reading that I need to understand the handshake and learn how to make my cm send what the cmts is wanting to see, but I can't get past this unknown.bin problem.
I really do want to learn more about this and I like to read and understand these things (I basically taught myself c++ just from reading online), I'm just hoping someone can point me in the right direction.