Cable Modem Hacking Kit 64 Bit
Violetta Wagganer
I switched from my trusty DSL to a cable ISP a while ago and decided to take a deeper look at their modem - an Arris TG1692A. Fancy thing, but for obvious reasons I cannot disassemble it. But it has a crappy web UI.. we surely can play with it, right?
Background story: I have a Pi-hole running at home and it listens to both IPv4 and IPv6. However, the IPv6 range is given by my modem through Router Advertisements packets, and it sends itself as DNS server, essentially making all IPv6-enabled devices bypass the damn blocker. I needed to change that!
You might be asking yourself so many overrides. Well, honestly, I just decided to play with it: anything that was commented out, disabled for my user or even my ISP, I just reenabled it. This gave me access to diagnostics tools, hidden settings, all sorts of things. It's fun, it's like a whole new modem! I can access routing tables, extra wireless settings, some cable diagnostics stuff, all sorts of interesting things!
Hi! I'm Ricardo, from the future! If you ended here because you wanted to change the IPv6 DNS on the same modem as I have, you might be wondering if there's an easier route. And in fact, there is! Open the web interface, navigate to the LAN IPv6 Settings page. There, just run this script at your browser's console (developer tools):
This script will disable the validateIpv6 function (bypassing the bug) and also avoid the modem from saving the IPAddressV6 property, which is dynamic and I honestly don't wanna test to see what happens. That's it! Simple as that!
His method requires the account the modem is tied to to remain active, so he usually takes equipment from large, well-established, corporate accounts, explaining that the ISP rarely fucks around with the corporate accounts, because a mistake could take down hundreds to thousands of modems and really piss off the cash cow.
It works, and I'm a computer nerd but I've never heard of this, anyone have an article or more information on it to make sure he doesn't screw himself? He just thinks "oh, free internet" and paid a guy $400 to install it (I'm sure he got ripped) without knowing anything about it. I tried asking the guy and he says he not spoofing the mac address and infact it won't even be registered with the ISP, but he's not giving me much information. I'm guessing he just buys the hacked modems offline, does some stuff and installs them. And personally, I'm just really curious as to how it works.
I simply state NO. It is NOT intended for that purpose. These modems are 100% legal to sell, it is a stock Motorola diagnostic shelled firmware. This is why they are allowed to be sold on eBay, because we as modders are doing NOTHING illegal if we are just simply upgrading the firmware to shell access.
It was a fun journey, but out of caution, I will not be actually using this modem. Cloning MACs is too much intertwined with stealing internet service and although it is not something I ever intend to do, I do not want there to be any confusions between me, the government, and Big ISP. As a result, it was just a fun exercise. As a word of advice to the reader, many people have been arrested for hacking modems. This site does not condone or promote any illegal activities and this post is presented only for education purposes and is more about reversing hardware then it is about bypassing restrictions.
According to the U.S. Department of Justice (DOJ), Ryan Harris, 26, ran a San Diego company called TCNISO that sold customizable cable modems and software that could be used to get free Internet service or a speed boost for paying subscribers.
The arrest follows a November 2008 undercover sting operation, where a U.S. Federal Bureau of Investigation agent bought modems and a book by Harris about cable-modem hacking. "These modems were capable of hacking a cable network and obtaining free Internet service," the indictment states.
Hackers have known for years that certain models of cable modem, such as the Motorola Surfboard 5100, can be hacked to run faster on a network, a process known as uncapping. However, the question of whether uncapping a modem is illegal is "not clear," according to Bill Pollock, founder of No Starch Press, which published Harris' 2006 how-to book, Hacking the Cable Modem.
Pollock said he published the book to give Internet users good information about how to tinker with their modems and get diagnostic information, some of which is blocked by Internet service providers. "If you buy a modem and you can hack the firmware, it's your piece of hardware," he said. "If you use it to steal service, you're breaking the law."
Cable modems can also be configured to use a paying customer's MAC (Media Access Control) address to steal service. According to the indictment, Harris helped develop tools that could be used to sniff MAC addresses in order to get on the network free.
Authorities say Harris' company, TCNISO, made more than $1 million selling cable-modem-hacking materials between 2003 and 2009, according to court documents. The company distributed cable-modem firmware called Sigma, along with a version of the Surfboard 5100 modem and some hacking software called Blackcat.
In 2005, the company developed a modified version of Sigma, called Sigma X, that could "block ISPs from 'probing' a modem to determine whether it was hacked," the indictment states. In March 2007, Harris asked users on the Tcniso.net forums for "verified Mac addresses and/or config files," it states.
One of TCNISO's more notorious customers was an unidentified teenager who used the hacker name Dshocker. Last year Dshocker pleaded guilty to hacking charges that dated back to 2005, when he was just 13 years old. Dshocker was charged with using stolen credit cards, phoning in bomb threats and operating a botnet of several thousand hacked computers.
Dshocker used Sigma to change his modem's MAC address and connect to a U.S. ISP, Charter Communications, without paying, the Harris indictment states. Later, he allegedly uncapped his modem, bumping up his access speed tenfold.
TCNISO's Web site was offline Monday, but Swingler's site, cablehack.net, is still open for business. According to CableHack's site, the modems it sells are "for educational use only." The company "does not encourage its users to use these modems illegally in any way, shape, or form."
In 2006, a hacker going by the name "DerEngel" ("The Angel") wrote a book for respected tech publishers No Starch Press on Hacking the Cable Modem. The book came with a warning: "The practice of modifying a cable modem violates service agreements, and hackers risk being banned by service providers for life. This book is not intended to be used for stealing Internet service or any other illegal activity." It was intended, you know, for research. Not for stealing Internet access.
An early review of the book noted this warning didn't seem to fit with the tone of the text, which repeatedly implied "that uncapping, MAC [Media Access Control] cloning, and evading detection is a noble pursuit." (Though one section did include "recommendations to ISP engineers on how to improve their systems to more easily defeat and detect cable modem hackers.")
The feds weren't buying the "research" angle, either; they were convinced that DerEngel was running the country's largest cable modem hacking operation, showing thousands of people around the country how to get free or higher-speed service from local Internet providers. And they were going to stop it.
DerEngel was really Ryan Harris, a young Oregon resident. Harris had dropped out of high school at 15, like many disenfranchised geeks. He got his GED instead and attended college for a year, but his computer hacking skills were largely self-taught. Around 2003, he set up TCNiSO.net, a Web-based company devoted to creating "diagnostic" tools for cable modems.
The tools came in two basic varieties: a packet sniffer dubbed "CoaxThief" and a MAC address/config file changer for select cable modems. Together, the tools enabled some fairly clever Internet fraud.
To understand how it worked, consider how cable modems function. Cable networks generally use a shared line connecting many homes in a single neighborhood, as opposed to DSL, where each home's line runs all the way back to a central phone office. That posed a problem for cable operators when they began offering Internet access: how do you tell which traffic on the wire is being paid for by customers, and how do you limit them to their subscribed speed tier?
The basic mechanism involved MAC controls. Each cable modem had a unique MAC address linked to a subscriber's account, so the cable headend could simply block all traffic that didn't originate from a MAC address linked to a paid-up account. Problem solved!
That's where Harris's other software came in. Released in 2003, the Sigma firmware exploited modem vulnerabilities to install itself into a modem's memory, allowing users to change the device's MAC addresses. The code had to stay continuously up-to-date, since cable companies regularly tweaked their own countermeasures in response. In 2005, for instance, Sigma became SigmaX and gained the ability to defeat cable-company initiated "probes" of cable modems on their lines.
With the right MAC address and the right software, suddenly the hacked cable modem provided a connection to the cable system. And it could get even faster. Cable modems use cable-provided profiles to limit users to specific speed tiers; Harris also found ways to uncap the modems by altering these profiles, upping their speeds dramatically.
Despite the talk about "diagnostic purposes," the TCNiSO.net operation doesn't come across as a particularly subtle operation. Harris employed several people around the country to code his apps and firmware, and he oversaw a forum in which people offered troubleshooting advice on stealing Internet service and on exchanging MAC addresses. (One thread in 2006 was called "What i need to do, so my isp can't catch me." Others offered "the Charter 0/0 config for download," while another asked: "RR [RoadRuner] in North Carolina, anyone want to trade macs?") An FBI agent had no trouble calling the phone number for TCNiSO and ordering a hacked modem.
aa06259810