Cable Modem Firmware Update

[Hebe Newnam]

Ipurchased the AC1900 C7000v2 cable modem for use with Spectrum Internet a few years back. Everything has worked fine until a few days ago. My instincts told me to update the firmware (currently V1.02.09).

As the Netgear Genie (internet portal) listed nowhere to update the firmware, my investigation lead me to download and install the iOS app and waste time setting up an account. After installing the iOS app I was excited to see the app confirm that the firmware was out of date... but gives absolutely no way to download and push it to the modem. I was frustrated and annoyed to discover that other uses have had the exact same experience with Netgear offering no specific solutions - especially for this model.

Right now it's all working and the page you suggested I look at shows that the firmware listed above is the only firmware approved by Spectrum even though 2 newer versions are available. As mentioned I haven't had a problem today (and I think that the real issue was on Spectrum's end).

I've been using the the cable modem, Zoom DOCSIS 3.0 5341J, for a few years and I'm happy with it. I have a general question. Is it possible or even needed to update the firmware? When I go to 192.168.100.1, I see Software, Connection, Security links on the left (and Event Log if I provide the URL). But I don't see a link or button to allow me to update firmware. Thanks.

yes and no.

You can't upload your own firmware. But if you go to the Comcast My Account - My devices page and have Comcast do a factory reset on your modem, it will download whatever Comcast has as the latest.

The Cable Operators (MSOs) have complete control of what cable modem/gateway hardware they will allow installed and the firmware it uses, this is because they own the coaxial cable that is connected to the ARRIS SB8200, because of that the Firmware updates are pushed by them, and any update needed as well. Any associated firmware updates are automatically deployed by the cable operator. This is not an ARRIS only implementation, but the required implementation of any cable device manufacturer.

Even for the device owned by the customer only the service provider can only update the firmware since the modem is activated by them. Regarding slow speed you can try resetting modem and perform speed test on direct connection to the modem without router. If still you face slow speed make sure you are using the cat6 or cat7 ethernet cable and to isolate the issue we need to check the cable signal level so please follow the steps mentioned on the below link.

A few weeks ago I got curious about an old cable modem sitting in my closet,a Motorola MB7220. Initially I was interested in what kind of hardware it hadand if it was running Linux. Some quick searching brought me to a thread ona web forum where people were discussing the built in spectrum analyzer featureused for diagnostics. Someone mentioned that they could see spikescorresponding to FM radio stations. This sparked a thought: if a cable modem and a digital TV tuner dongle are fundamentally doing the same thing (receiving and demodulating QAM signals), could a modem be turned into an SDR (software-defined radio)a la RTL-SDR?

Going into this project, I knew next to nothing about RF and had no idea ifthis goal was even feasible at all for the hardware. I found an SDR project based on an Analog Devices cable modem chip, as well as a forum threadwhere someone else was wondering about the same thing a few years ago.

I say if you have the skills, time and desire, give it a go and see where you end up. If google shows nothing, then its likely not been tried. With so few firsts available in life, take those that present themselves and have a crack, even if failure is always an option.

After removing a few screws from the plastic housing to get access to theboard, my first thought was to look for UART headers to take a peek at the serial console. After identifying two candidates consisting of four vias surrounded by a rectangle near the edge of the PCB, it was time to identify the pins. Using a multimeter, the ground pin can be easily identified by checking the continuity with one of the metal shields on board. The VCC pin can be identified by measuring the voltage of each pin when powering on the board. It should be a steady 3.3v, or in some cases 1.8v or 5v. This pin is not needed, but is still useful to identify the operating voltage and eliminate one candidate for the Tx and Rx pins.While booting, the Tx pin will sit on average a little lower than the VCC pinand drop much lower when a lot of data is being output. This leaves the last pin as Rx.

There are a few reasons why the Raspberry Pi is not the best serial interfacesuch as if you need parity or other features, but in this case I had it on handand it works. The serial console of the Pi must also be disabled so that it can be freed up for other purposes. There is another reason I chose to use the Raspberry Pi which I will get to later.

Finally, to actually see the data I used the cu utility:

cu -l /dev/serial0 -s 115200

The baud rate was a lucky guess, but 115200 is very common on such devices.If the baud rate is wrong you will quickly know when you see a bunch of garbageon the screen. A logic analyzer could be used to definitively find the baud rate and other parameters, but guessing is sometimes quicker and always cheaper.

This output contains a wealth of information. The device is running eCos on a MIPS processor which is part of a Broadcom BCM3383 SoC. It turns out there are actuallytwo MIPS processors on this SoC although one of them is not used on thismodem, explaining the other UART. On some devices, the second processorwill run Linux for additional features.

My goal now was to enable the serial console. Examination of the board revealsa single SPI flashchip which likely contains the bootloader, OS, and configuration as it is theonly non-volatile storage visible on the board.

One common issue with dumping a SPI chip on a board is that the chip requirespower, but this will also usually power the board and cause it to start bootingand using the chip. I chose to overcome this by heating the VCC pin with mysoldering iron and very carefully lifting it off the pad. This is a convenient,but rather crude solution which may result in snapped off leads so use at yourown risk! I also soldered a jumper wire to the pad and another to the floatingleg so that I could easily connect and disconnect them and allow the device toboot again.

Another note, on some boards the Chip Select pin is assumed to always be enabled so it is directly tied to VCC. This means when you power the CS pin, the board also starts booting. This can be solved in a similar wayto the VCC pin.

To actually read the chip, there is a fantastic tool called flashrom which supports an enormous number ofchips. flashrom is present in the repos of many distributions including thatof the Raspberry Pi OS (formerly known as Raspbian).

After some searching, I came across a great project called bcm2-utils which contains utilitiesto dump, parse, and modify the configuration on Broadcom cable modems. The repoalso contains a lot of very detailed documentation on the format of thefirmware and configuration. As a quick note, the dumping feature requires either telnet or serial connection, neither of which were available on my device.

To avoid rewriting the entire chip, I created a layout file for flashrom so itwould only overwrite the configuration rather than the entire contents which iswhy the modified image is just padded with zeros.The layout file looks like this:

Closer examination of the flash image shows that there are a number ofrepeated copies of the configuration following the initial one. These haveslight differences, the most obvious being additional error log messages. It appears that the device keeps rolling backups of the configuration in case one gets corrupted.

To simplify things, I did a factory reset through the web interface to get ridof all the error log messages. Then I dumped the flash again and repeated the previous process to modify the clean configuration except this time I truncatedthe config to only include the first copy. Then using some dd commands Iwould rather not think about, I reconstructed the entire configuration section,appending the modified config at each offset where a copy of the configstarted.

After flashing this new image and booting once again, I am finally able toview the entire boot log and then have access to a console, although theoutput is being flooded by a process looking for a signal.

Initially, I just wanted to see if I could enable the web-based spectrumanalyzer which seems to be disabled on this device. There were some settingsrelated to it, but nothing about enabling or disabling the external interface.

I started naming any functions I came across using the strings as well asthe function signature in combination with the context it is used and anycross references. Eventually, when ending up in an unknown function, the crossreferences to named functions give some clue as to the context of the functioneventually making things a little easier.

One useful feature of the eCos console is the call command which allows youto call a function at an arbitrary address with the the given arguments. Thisallows us to actually execute a function to test a hypothesis about what itdoes.

The operating system has a large amount of Broadcom code on top of it which is all written in C++. This makes reversing it significantly more annoying byadding a lot of indirection when it comes to function calls and polymorphism.For example you will often see code like this:

Sometimes the class can be determined by following the object pointer all theway back to where it is initialized, but other times it is easier to just patcha function where the unknown object is used to write the vale of the pointer to a known location and then return. This can be done with the write_memory command in the eCos console. Then the call command can be used to call the function containing the unknown object and then read_memory can be used to retrieve the pointer from the known location. These type of hacks as well ascombining static and dynamic analysis are crucial to avoid getting stuck.

3a8082e126