HACKING THE CABLE MODEM by DerEngel ® San Francisco HACKING THE CABLE MODEM. Copyright © 2006 by Ryan Harris. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher. Printed on recycled paper in the United States of America 10 09 08 07 06 1 2 3 4 5 6 7 8 9 ISBN-10: 1-59327-101-8 ISBN-13: 978-1-59327-101-5 Publisher: William Pollock Associate Production Editor: Christina Samuell Cover Design: Octopod Studios Developmental Editor: William Pollock Technical Reviewer: Isabella Lindquist Copyeditor: Publication Services, Inc. Compositors: Riley Hoffman and Megan Dunchak Proofreader: Stephanie Provines For information on book distributors or translations, please contact No Starch Press, Inc. directly: No Starch Press, Inc. 555 De Haro Street, Suite 250, San Francisco, CA 94107 phone: 415.863.9900; fax: 415.863.9950; [email protected]; www.nostarch.com Library of Congress Cataloging-in-Publication Data DerEngel, 1983- Hacking the cable modem : what cable companies don't want you to know / DerEngel. p. cm. Includes index. ISBN 1-59327-101-8 1. Modems--Handbooks, manuals, etc. 2. Computer hackers--Handbooks, manuals, etc. I. Title. TK7887.8.M63H37 2006 004.6'4--dc22 2005033678 No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks oftheir respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we areusing the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The information in this book is distributed on an “As Is” basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it. This book is dedicated to all the righteous hackers that have been silenced by greedy corporations, and to Karly, the love of my life, for without you there would be no reason for me to get out of bed in the morning. A C K N O W L E D G M E N T S Foremost, I want to thank my wife, Karly, for being so patient while I was writing this book. Believe me, that was a hard thing for her to do. I also want to thank my parents for their unconditional support over the years. Thanks to Derek Rima for helping me occupy my spare time with online first-person shooters, for the many LAN tournaments we have attended, and for the ones we will attend in the future. Thanks to the entire No Starch Press crew, which I have had the pleasure of working with during the creation of this book. Thanks to the entire TCNISO team, especially Isabella, who served as this book’s technical reviewer, and Jacek, who contributed to the RCA/ Thomson hack discussed in Chapter 19. Thanks to Kevin Poulsen; if it wasn’t for him, cable modem hacking would not be as big as it is today. Many thanks to Jason Schultz and Henry Lien of the Electronic Frontier Foundation (EFF), not only for reviewing this book, but also for helping to protect freedom in our digital world. Last but not least, special thanks go to Bill Pollock, founder of No Starch Press, who believed in me enough to make this book a reality. B R I E F C O N T E N T S Introduction..................................................................................................................xix Chapter 1: A History of Cable ModemHacking..................................................................1 Chapter 2: The Cable Modem Showcase.........................................................................15 Chapter 3: A Faster Internet............................................................................................27 Chapter 4: The DOCSIS Standard...................................................................................35 Chapter 5: What’s Inside?.............................................................................................47 Chapter 6: Firmware.....................................................................................................55 Chapter 7: Our Limitations.............................................................................................63 Chapter 8: Reverse Engineering......................................................................................73 Chapter 9: Cable Modem Security..................................................................................81 Chapter 10: Buffer Overflows.........................................................................................89 Chapter 11: SIGMA Firmware......................................................................................107 Chapter 12: Hacking Frequencies.................................................................................115 Chapter 13: Useful Software........................................................................................125 Chapter 14: Gathering Information...............................................................................137 Chapter 15: The Blackcat Programmer..........................................................................145 Chapter 16: Traditional Uncapping...............................................................................153 Chapter 17: Building a Console Cable..........................................................................159 Chapter 18: Changing Firmware..................................................................................169 Chapter 19: Hacking the RCA......................................................................................183 Chapter 20: Hacking the WebSTAR..............................................................................189 Chapter 21: The SURFboard Factory Mode....................................................................197 Chapter 22: Hacking the D-Link Modem........................................................................217 Chapter 23: Securing the Future...................................................................................231 Appendix A: Frequently Asked Questions.......................................................................245 Appendix B: Disassembling..........................................................................................257 Appendix C: Cross-Compiling......................................................................................269 Appendix D: Acronyms................................................................................................277 Index.........................................................................................................................281 viii Brief Contents C O N T E N T S I N D E T A I L INTRODUCTION xix My Origin .............................................................................................................xix Why a Book on Hacking Cable Modems? .................................................................xx Why Should I Read This Book? .................................................................................xx Cable Modem Hacking Secrets Exposed ......................................................xxi This Is the Only Book That Includes Everything! .............................................xxi How This Book Is Organized ...................................................................................xxi Always Hack Responsibly.......................................................................................xxiv 1 A HISTORY OF CABLE MODEM HACKING 1 In the Beginning .......................................................................................................2 The Cap ..................................................................................................................3 DOCSIS: The Cable Modem Standard ........................................................................4 DOCSIS Takes Effect ...................................................................................4 Finding the Holes .....................................................................................................5 TFTP Settings and Config Files.......................................................................6 ARP Poisoning ............................................................................................6 How This Hack Could Have Been Prevented ...................................................7 Cable Modem Hacking Begins .....................................................................7 Creating an Executable Hack ....................................................................................7 Defeating the Message Integrity Check .......................................................................9 Fireball and Cable Modem Firmware .........................................................................9 How the Firmware Is Upgraded ..................................................................10 Isabella .................................................................................................................10 Controlling the Firmware with SIGMA ..........................................................11 DOCSIS 2.0 ..........................................................................................................11 Blackcat ...................................................................................................12 What’s to Come.....................................................................................................13 2 THE CABLE MODEM SHOWCASE 15 DOCSIS vs. Non-DOCSIS .......................................................................................16 Standard Features .....................................................................................16 Wireless Support.......................................................................................17 Universal Serial Bus Port ............................................................................17 External Case ...........................................................................................17 Voice over IP Support ................................................................................17 Additional Features ...................................................................................18 Purchasing Guide ...................................................................................................18 Available Features .....................................................................................18 The Showcase .......................................................................................................19