> I chose to overcome this by heating the VCC pin with my soldering iron and very carefully lifting it off the pad. This is a convenient, but rather crude solution which may result in snapped off leads so use at your own risk!
If that mishap on an SOIC chip occurs, don’t fret, you can usually shave off a bit of the plastic and get enough pin surface to solder a jumper to VCC.
An alternate method is to follow the VCC trace and cut it, then solder your own wire to the unlifted lead and a nearby capacitor with a switch. Beware that you might power more than the chip if the trace continues, but that’s usually fine. Sometimes this is a good thing because you still power pull-up resistors.
Yet another option is to place a glob of solder across 4 pins, heat them all up, and lift half the chip. The other 4 legs will be hot and soft enough to bend easily.
Finally for the non-VCC connections, could follow the traces and find easier places to solder to rather than a bunch of side-by-side leads.
> Enter '1', '2', or 'p' within 2 seconds or take default...
Wait, tens or hundreds of millions of cable modem startups are delayed by 2s on each start just in case somebody has soldered up a serial interface and wants to load a different image?
Wait until you find out your Mac initializes bluetooth in the BIOS and looks for a keyboard and checks for keys pressed before trying to boot anything, in case you're holding down option to go into the boot menu using a wireless keyboard.
This is pretty much a universal feature of any device with a bootloader and an OS. If it weren't there, you wouldn't be able to diagnose anything. 2 seconds is reasonable.
Cable modems are powered up and online 99.9% of the time, little to no productivity is being lost here. If it makes the engineers' lives easier, up to 5 seconds would be totally reasonable, in my opinion.
If you want to talk about human productivity being pointlessly wasted while waiting for things to load, let's start with modern web apps.
That or just simply the sheer percentage of Comcast downtime, or the percentage of time their stupid DHCP servers give me only an IPv6 and not an IPv4 address, and their support just gives me the "Is the power button in the on position" type BS and the support person doesn't seem to even know what DHCP is.
Fun fact: The USB logo should be facing you when the cable is inserted in the correct orientation. Ever since learning that, the magic "turn it around three times" has stopped happening to me.
That wouldn't surprise me. How much of a cable modem's life is spent booting? Probably not much. Fiddling with the bootloader to make it faster on production hardware would make it harder to debug if needed. They did leave the UART pins accessible on the board, so they may have expected to possibly need to tftp boot the boards in extreme circumstances.
You could make that require a jumper somewhere, but 2 seconds added to the boot time, when a working modem probably doesn't boot more than once a month is simply not a lot of time.
If we're trying to save as much time as possible from our internet service, let's talk about Comcast's call center hold times where I've wasted orders of magnitude more time than waiting for my modem to boot
That’s about 76 years of waiting each year for 100m monthly reboots.
I think the 3 cents saved on a jumper block per unit is fine, but since we’re talking about a UART requiring soldering you’re access, holding two lines together to access debug mode seems fine.
I only recently understood that my Coax cables are basically like an RF spectrum similar to Wifi except inside the cables. It appears this is taken as obvious because I had a really hard time finding someone explain it like that.
I bought these boxes which use the Coax at very high frequencies to do Ethernet between sides of my house using MoCa which is used by TiVos and newer set top boxes. I had trouble understanding "how is this secure" when my modem is also connected to the same coax and this is clearly not behind my firewall. Well, of course, you filter out the signal from leaving through the Coax which provides you cable!
I would rather just run ethernet and keep it behind a firewall, but this reduces punching holes in the walls for now.
> I only recently understood that my Coax cables are basically like an RF spectrum similar to Wifi except inside the cables. It appears this is taken as obvious because I had a really hard time finding someone explain it like that.
Back in the days nearly everyone had the experience of connecting an outdoor antenna to a coax cable.
BTW, you can even run Wi-Fi over a random, abandoned RG-58 TV coax in the wall by simply connecting a suitable coax adapter. Some will mention the problem of impedance mismatch, but it's negligible [0]. The downside is that MIMO is not possible, only 1T1R is possible, and 150 Mbps is the best possible speed for 802.11n (but I wonder if it's possible to use a mixer at both ends to convert the second antenna port to a different frequency, so both bands can operate simultaneously in a single coax cable with a duplexer for MIMO).
> I had trouble understanding "how is this secure" when my modem is also connected to the same coax and this is clearly not behind my firewall. Well, of course, you filter out the signal from leaving through the Coax which provides you cable!
A Coax-to-Ethernet modem and a Cable modem doesn't even have the same analog front-end or use the same modulation, software-only attacks are practically impossible. It can only be a problem if the attacker has physical access to the coax cable, or if the coax leaks (which always occur). But then, G.hn uses AES encryption with Diffie-Hellman key exchange [1][2], you shouldn't worry after all. Man-in-the-Middle attacks can still be a problem, it's more secure to set the password (a.k.a. Device ID) manually via Ethernet instead of using the automatic pairing. But still, it's unlikely that anyone is injecting traffic during the initial pairing.
[0] A 50-ohm transmitter into 75 ohm ideal coax has a VSWR (a metric of impedance mismatch) of better than 1.6:1 at 2.4 GHz, real cable loss can make the apparent VSWR even lower.
>> I only recently understood that my Coax cables are basically like an RF spectrum similar to Wifi except inside the cables. It appears this is taken as obvious because I had a really hard time finding someone explain it like that.
>Back in the days nearly everyone had the experience of connecting an outdoor antenna to a coax cable.
>BTW, you can even run Wi-Fi over a random, abandoned RG-58 TV coax in the wall by simply connecting a suitable coax adapter. Some will mention the problem of impedance mismatch, but it's negligible [0]. The downside is that MIMO is not possible, only 1T1R is possible, and 150 Mbps is the best possible speed for 802.11n (but I wonder if it's possible to use a mixer at both ends to convert the second antenna port to a different frequency, so both bands can operate simultaneously in a single coax cable with a duplexer for MIMO).
This reminds me of a hack we did at work. We needed to connect the networks of two of our labs without going through the official IT equipment (don't ask). The difficulty was one of the labs is a Faraday cage, so essentially no accessible ways of routing cables in and out. However, we do optics research so we had some fiber connections between the labs, they are a limited resource though. What we ended up doing was connecting a media converter to use the fiber connections. But ethernet over fiber uses separate fibers for duplexing and the fibers between labs are a limited resource. We ended up using a circulator (which essentially separates the forward and backward transmission from a fiber into two fibers), and used a single fiber for full-duplex without issues.
Take home message, if you have enough SNR (the media converter bridges are designed for 15 km) you can get away with all sorts of hacks.
> We ended up using a circulator, and used a single fiber for full-duplex without issues.
Great hack.
BTW, I always want to see if a circulator can be used as a Wi-Fi booster. A typical Wi-Fi chipset has a noise figure around 6 dB, in principle, if a high-performance LNA is used, connected via a circulator (so the Wi-Fi doesn't transmit into the amplifier), 3 or 5 dB improvement for RX should be possible (and without violating any radio regulation!). But I don't have to tolerate the horrible campus network since then, I don't have any motivation to try it anymore...
> Take home message, if you have enough SNR (the media converter bridges are designed for 15 km) you can get away with all sorts of hacks.
It's said that all communication accomplishments are ultimately a problem of adding a bunch of positive and negative numbers in your link budget. ;-)
MoCa is great because basically as long as one device is getting a good signal from the outside everything else on the MoCa network downstream of the filter+MoCa device will work and is "shielded" in some sense some the outside. Much less fussing around with too many splitters leaving a weak signal for the box in the farthest bedroom or needing an amplifier in most cases.
A buddy an I had this idea ~6-7 years ago, and had a couple of the zoom docsis 3 modems handy. They have something like a 100Mhz fairly high bit depth A/D on them. At the time the price/bandwidth was crazy (and still is if someone managed to pull it off with a modern docsis 3.1 system). I got some boot logs/etc but didn't get very far into reverse engineering the chip. Its too bad that the chip vendors go to such lengths to hide what is basically mostly repackaged 3rd party IP from designware/arm/etc.
Current DOCSIS has ~200Mhz sampling per OFDM channel, given a 3rd party tuner in front of it, the results might be pretty crazy.
Super cool hack and great write up. It’s nice to see this go all the way from poking at hardware to decompiling binaries and then some signal processing. Kudos.
You mentioned you were getting distortion/noise when downsampling below 928kHz. Are you lowpass-filtering before you decimate (but after you demodulate)? Otherwise you will get all kinds of aliasing.
Looks like FM radio stations have a bandwidth of 200kHz so you should be able to lowpass with a cutoff of around 50kHz then decimate to 232kHz.
Thank you.
I am just throwing away samples without filtering because it has to be done as quickly as possible on the device itself in order to send it out before the next chunk of data is ready. It is sort of a hack because I can’t lower the sample rate so it is the only way to make the quantity of data manageable.
Just expanding your acronymouns for any people that might not know them by heart:
Your Mileage May Vary but
International Islamic University Chittagong it's
European Association of Fish Pathologists when giving Too Much Information on Three Letter Acronyms, especially technical jargon, rather than just quoting Let Me Google That For You or insisting folks Ready Team Fire Assist.
(... and I can't help but add IAnal, IAnyl, This Is Not Legal Advice, etc.)
I just couldn't remember the meaning since I've only read maybe a couple of articles on the topic. So I had to Google it, and it was the 4th result.
I tried to CTRL-F "SDR" on the article page, but there was no mention of what the abbreviation stands for. I realize it's meant for technically inclined readers, and it is a great article and project. I should've checked the linked websites first, but it was easier to just Google it :)
I'd include a short mention of what SDR stands for (maybe with a link to Wikipedia) at the top so people unfamiliar with it can get an idea of what they're about to read. Just imo.
I had never heard of this acronym. If you post on a forum about SDR’s, I guess it’s fine to not explain it, but it’s a public blog post shared to ‘Show HN’ so it makes a lot of sense to add two our three phrases that shortly explain the term after introducing it.
As someone who’s constantly appalled by the number of TVs on the market that claim HDR but can’t even reach the minimum spec of 1000 nits, this was me!
Kudos! LimeSDR has found its niche in "hobbyist" radio astronomy. It's entirely within the realm of possibility. That a civilian using a low budget board. Discovers the next big meteor approaching our planet. Or even a faint signal from advanced alien life ;)
Almost but not quite completely off topic: a very low budget sci-fi film was released last year or so with the unfortunately overloaded name "Cosmos"[1] - the protagonists are doing radio astronomy from the back of their Volvo. I really enjoyed the movie - it just enough science explainers so people unfamiliar wouldn't get lost, but it wasn't dumbed down.
This was a side project of a few people that had previously been making documentaries for NASA, and you could feel that "swelling music new frontiers and science" vibe you might from a decent documentary.
I don't think you're going to detector anything close to the earth without being able to transmit (or a very sensitive passive system I guess but I'd have to do the calculations), which is not really amateur territory.
Cool hack, however i agree with the poster, since it appears to only have a 500KHz usable bandwidth(less than rtl-sdr) at an albeit faster (5x) sample rate, i probably won't have much use for it. Definitely a great reverse engineer and discovery journey though.
Just saying a 5V device had no problem interpreting -12 as 0 and +12 as 1 (wayyyy out of specs). And the serial port accepted 5 as good as +12 and 0V as -12V. No level shifting.
Did require inverting in code since RS232 uses -12V as logic 1 and +12 as 0.
The command line interface eCos has to call any C function sounds interesting, I wonder if there is a standalone library to do this on other platforms.
To further boost performance, it might be worth skipping past interrupts and going straight for DMA, as the CPU probably doesn't need to be doing anything. I imagine figuring out how that works on an undocumented chip would be quite tricky though.
> I wonder if there is a standalone library to do this on other platforms.
There's a thing called Cycript for jailbroken iOS that, among other features, allows you to attach to any process and then gives you what's basically a command line interface to the objective-c runtime. It's a godsend for reversing iOS apps.
It should also be trivial to implement a similar tool for Android using Xposed framework.
I love this sort of stuff -- does anyone know of a solid forum/place for these kinds of projects (outside of searching here)?
Specifically, I have a basement full of old (some non-working) hardware for various gadgets/computers/electronics and I'd love to upcycle them into ... something else. Instructables and WikiHow are the usual places, but it's usually things that require "the thing you're building"[0] to build or require buying so many new components that by the time your done you've bought a product minus a few motors.
I yearn for the "Make X do Y" with a small number of inexpensive tools (preferably ones I own, but that's a tricky proposition) where "X" is something common, or obsolete and "Y" is something outside of or is an upgrade to it's design[1]. I love doing this sort of thing and I find that about half the time when I'm working on Pi/Arduino projects I have way more parts than I realize -- I can't believe I purchased any loose low power LEDs (IR, colored...) I have a whole box of remotes/miscellania that should really be in the garbage for how useless it is ... until I need a 1.5V LED, have only 5V+, and can't wait a day for shipping. I started salvaging electronics before trashing them. It'd be nice if I could look up the whole obsolete device and see what I can use more of it in... plus, at least for me, I'd throw less away (and store less in boxes).
[0] My go-to is the small number of "Blu-Ray Engraver/Laser Cutters". Every one I could find (A) required a laser cutter, or (B) many of the laser-cut parts required a laser cutter that was bigger than the one being built, so you couldn't even sell the more expensive laser cutter if you wish to be able to produce a second one. It's a small issue in that there are still other parts that need to be purchased, but you have to buy a laser cutter to make the custom, $0.01 in pressed board, set of parts. The others are nearly every upcycled RC-Car.
[1] I had a friend who designed custom sub-woofers for cars when I was younger. He had a Yamaha off-the-shelf sub that he modified to the tune of $250 and some of his own time. It put my $1000 sub to shame. I can't remember all the specifics of the modification, but I know he used the original amp board and some upgraded MOSFETS but didn't touch the 10" speaker or the cabinet (which was what he spent most of his time on, typically).
SDR (Software-Defined Radio)is cool. RTL-SDR use a $25 USB TV tuner dongle to do all kinds of cool things like catching weather satellite downloads, listening to local emergency services, and software-controlled RF scanners.
Interesting. I have the same model as you used (MB7220) but port 8080 appears to be closed (connection refused). In fact, nmap shows no ports except 80 are open. I guess a firmware update took that out.
Mine reports version 7220-5.7.1.15 in the admin console. I would be interested to know if anyone else is able to access it.
I use this modem for my internet service so unfortunately I can't just take it apart to replicate this experiment!
With your use of threading you can instead of using one semaphore and buffer do two half as big, so one thread can always read one while the other us written. That potentially can remove all useless idling from your solution
It wasn’t well explained, but there are two buffers. Even with the sampling loop as tight as I could get it I think there is just a few ms of inherent delay between when it finishes reading and when it is ready to read again.
I wouldn't be surprised if this turns out to be the first crack in opening this modem further and finding the transmit functions.
After all, a modem has to be able to send as well as receive, and a transmit-arbitrary-IQ-samples function would be useful for calibration at manufacture time.
> With so few firsts available in life, take those that present themselves and have a crack, even if failure is always an option.
About two years ago I realized I was doing the opposite sort-of without realizing it. I'd want to do something given a set of constraints (say, create some app in some specific programming language or for some platform), google it, find that there was some loose chatter around the idea and I'd dismiss it thinking "well, 'The Internet' hasn't done it/doesn't think it's possible, so I shouldn't bother".
Maybe it's a form of imposter syndrome. For me, I think it's more complicated:
I'd reach a point in a framework/subset of "whatever stack/language I was focused on at that time" where I was running out of obvious "new things to try", so I'd Google and find the same list; 'The Internet' decided for me that there's really not anything else of use to do with these this framework, let's learn a new one.
I need to "do X with Y", I Google it and find "Y" nowhere, but find "Z" everywhere. It's a bad fit but that's how 'The Internet' does it.
The most common, and one I specifically guard against and it happens consistently with endeavors like this: I want to make "X" do "Y" knowing full well that "Y" is not designed for (or more frequently specifically designed to prevent me from) doing "Y". After wading through replies to countless other people daring to ask the question in a forum -- the usual: "You don't know what you're talking about, can't be done, you shouldn't try it", "Why would you even want to do that when you can get 'Y' for $.$$ on eBay?", "Google it" (I did, that's why I'm here after 4 pages of clicking). Lovely how every question has 3-4 unhelpful-non-answers in one of these categories.
I changed my approach more than a decade ago while trying to reverse engineer the obfuscation a large telecom vendor used for their mobile broadband password storage in the Windows Registry[0] and succeeded in writing an "obfuscator" in a day from first introduction to deployed solution. Ever since then, I trust my instinct when I have expertise. When I do not, I read a very positive signal when "a lot of are people asking if something can be done" IIF there isn't a good answer to why it "can't be done" and any reasons why it "shouldn't be done" don't apply to the issue at hand.
[0] I recall, at the time, most of the answers were some form of "IANAL... but..." -- our purpose was to assign a random password to a user's account, then install the client to the user's company-assigned laptop with that password pre-populated (I didn't come up with the idea, I just had to figure out how to do it). The remainder of the answers were variants of "you can't crack AES" and "IM L33t H4x0R - WiLl CrAcK 4U". It was very clearly not AES or anything resembling a hash. It took so little effort to figure out that I would have saved time by "Starting Before Googling". Nobody (searchable) had tried. Probably nobody had a (legitimate) reason to try. It was just surprising how many people had a reason to "not try" while also discouraging others from trying with either wrong information or no information at all.
If that mishap on an SOIC chip occurs, don’t fret, you can usually shave off a bit of the plastic and get enough pin surface to solder a jumper to VCC.
An alternate method is to follow the VCC trace and cut it, then solder your own wire to the unlifted lead and a nearby capacitor with a switch. Beware that you might power more than the chip if the trace continues, but that’s usually fine. Sometimes this is a good thing because you still power pull-up resistors.
Yet another option is to place a glob of solder across 4 pins, heat them all up, and lift half the chip. The other 4 legs will be hot and soft enough to bend easily.
Finally for the non-VCC connections, could follow the traces and find easier places to solder to rather than a bunch of side-by-side leads.