I think it's more about getting root than adding a route. I assume the author is aware that he can purchase a separate router. DOCSIS hacking is highly frowned upon by cable companies, and the FBI. It's probably better to have a practical reason to do it, instead of "I wanted to see if I could."
If I remember correctly, an ISP can push a new firmware to a Docsis3 modem at any time too and force reboot it.
Bothers me none of my modems have ever had the option to turn off WAN-side flashing, never know who is going to figure out how to take advantage of that.
Have a SPI flasher permanently connected, and a device on the LAN connected to that flasher, and to the LAN in order to automatically detect firmware version changes. When one is detected, dump the firmware update, and reflash your preferred version, and have it match the reported version of the new update. If you have a router in front of your modem, you could even make a killswitch that blocks WAN until the reflash is complete.
Given the author posted it on danman.eu I would assume EU law applies. Not sure in which scenario FBI would get involved. Cause this is legal to do in EU.
When I said that I was thinking of a story from 10 or 20 years ago where a bunch of people were increasing their bandwidth by hacking their cablemodems, and they all got raided. I can't seem to find the exact story right now, but Google returns a few similar stories.
I vaguely remember this. IIRC the people raided were those hacking into the CMTS to uncap their modems and their friends modems and I want to say that at least one of them was selling services to uncap modems. Perhaps the notion of hacking was just modding the cable modem to ignore limits being given by the CMTS but either way I believe someone was selling access to this which got the attention of the feds.
I agree. No idea if that is still possible these days. Perhaps someone here is involved in the DOCSIS standards or is a cable modem hacker and could offer some insight as to how things may have evolved.
I don't know about the FBI specifically but telecom equipment is regulated and in most places it's not legal to roll your own interface to the infrastructure. Even if you bring your own modem these days, it becomes administered remotely by your ISP. Similar to phreaking being a crime. Even if you have an agreement with your ISP, I'd expect you'd be breaking it and crossing into fraud or toll fraud at the least.
This is tricky, because "telecom" only has POTS and cable TV within its scope. "Internet" service that just uses ethernet technologies are their own separate thing, and why "Ma Bell" megacorps can get away with their junk Internet service because it's regulated differently than POTS.
> I don't know about the FBI specifically but telecom equipment is regulated and in most places it's not legal to roll your own interface to the infrastructure.
In the EU, the Directive 2015/2120 [1] enforces the ability of customers to bring their own modems, no matter if you are running fiber, xDSL or DOCSIS.
UPC got slapped for this before it was sold to Vodafone. So for a time one could buy the modem - its pretty nasty because the rent price is exactly calculated from 2 years the company has warranty from the hw distributor. So basically if you use it for more than 2 years you are paying for payed off hardware for nothing. And of course those devices and users last far more than 2 years (more like 5-10) this is just money printing.
But other coment is right. They have to allow you use your device.
Vodafone has gotten under fire here in Germany for the same shady practice too [1]. They are seriously one of the worst providers out there... but they must allow you to connect your own modem. Get a lawyer or go to your equivalent of a consumer protection agency.
On the other hand, the EU has laws that actually guarantee users the right to use their own hardware if they want. The providers have to provide any required documentation and if the system requires devices to be registered, the providers are obliged to register user devices.
The make/model appears to be a COMPAL CH7465LG, and it's got a 1.2GHz dual core CPU, a RealTek RTL8365MB switch chip, 4 GBE ports and WiFi, so it's arguably enough of a router in it's own right.
From the screenshot at the top it looks like they're using unitymedia. The funny thing is, at least in the past, that thing resets entirely if you disconnect it from power for some time, booting up with some old firmware revision afterwards. If you power it on then and quickly access the web interface, you'll see the option for bridge mode. Then it magically updates, and the option is gone. (this was a few years ago)
As far as I know vodafone uses the same modem/router for all DOCSIS connections, but disables some funcionality (such as bridge mode) for 'ex-unitymedia' connections.
It seems like the integration of both networks is quite a task and the bridge-mode feature is not a priority. How the bridge-mode is affected by the network backbone is unclear to me. IPv6 delegation also does not work for me.
Looking at the screenshots of the admin panel (and the fact that pictures further down seem to show switch ports) it seems that this is a modem/router/switch combo. Unlike many providers that just provide a modem with no router functionality and just an Ethernet port.
It still would be easier to just put it into bridge mode if that's an option and use a better router, it is still an interesting hacking project!
Just a terminology nit in the article: this isn't really exploiting anything. Exploitation means breaking intended security, but there is no security here; obviously this device was not designed to attempt to stop you from tinkering with eMMC directly. Hacking is the more general term for what this is :-)
Cable modems in general don't seem to really make much of an attempt at physical-access security, even though they rely on being "secure from the owner" to enforce ISP bandwidth limits. Back when I was on cable, my cable router didn't have an official bridge mode, but there was a way to get telnet by uncommenting a hidden settings field in the HTML (lol) and then you could use an undocumented command to enable it. Later, the ISP broke this in an update, possibly inadvertently: bridge mode was still there, but enabling it caused some process to crashloop and destroyed performance. I got tired of that nonsense, found an old firmware image, and directly flashed it to the SPI flash chip on the board (except I left the version metadata as the higher one, so it wouldn't try to update itself again). Worked fine until I moved out of that place and stopped using cable. The DOCSIS cert and private key were right there in the flash too, I'm pretty sure I still have a backup somewhere.
Oh I remember this tutorial, because I followed it once to get telnet to this exact device.
I even bought a special transcend sd card reader that was said to support 1-bit mode, but what worked for me in the end was the cheapest and crappiest looking adapter I had.
The funny thing is that you can use this method to illegaly increase your internet speed, since it is limited by the modem, not by the ISP's equipment.
> The funny thing is that you can use this method to illegaly increase your internet speed, since it is limited by the modem, not by the ISP's equipment.
No way. I wonder if this works with ADSL modems. That's absolutely insane.
ADSL modems are a totally different beast. With *DSL, you have a point to point connection with the telephone company equipment. It doesn't make sense to limit speed with the customer premises equipment, since the company equipment can easily do it (usually by limiting the negotiated sync speeds) With cable, it's a broadcast medium, so it's a lot simpler to let the network equipment be simple and have the CPE limit speeds. OTOH, network equipment capabilities have increased a lot since the early days.
DSL has a speed limit on the DSLAM side, but cable has to deal with a shared medium and for some god forsaken reason the DOCSIS people decided that ISPs should trust the devices placed into people's homes to do rate limiting.
In the same vein it's also trivial to hack many IPTV boxes used by fiber/DSL providers to give you free shows and channels because they essentially filter out the options you can click on on the client side rather than do any server side validation. There was a somewhat prolific subforum on a Dutch tech forum that tried to get into customising ISP IPTV boxes (didn't even need to alter the firmware, just needed to mess around with some JSON in transit) but that got cease-and-desisted because the method people used to alter themes could just as easily unlock most paid content.
Sometimes it really does look like TV related ISPs are still living in the 90s when it comes to security boundaries.
With a shared medium trusting customer premise equipment to do proper, compatible media access control is pretty much inevitable. A device could just as easily transmit noise all day long, ruining service for everyone on the same cable segment. The only way to make that impossible would require rewiring everything as a switched network, which would generally mean running a fiber to every home.
When it comes to submitting well-formed streams, I agree.
With DOCSIS, though, there's frequency/time block negotiation going on that a central node needs to confirm.
A modem getting 1000mbps down on a 100mbps subscription should not be possible by simply flashing the modem with different firmware.
This problem has been solved for LTE and other wireless standards, there's no reason why DOCSIS should stick to this old design in their new iterations.
If it hasn't limited by the modem, you could just saturate the connection up to where it's limited when uploading
For cable modems, the modem runs the ISP's firmware which downloads runtime parameters from the ISP. The supported modem list is modem's they have firmware for that run on their network
Afaik it's not very difficult for the ISP to detect modified modems
Not in the UK, its set by the cabinet which in my case is a Broadcom running version 12.3.16.
So one of the reasons why its set by the cabinet is they charge different fees for different connection speeds.
So in the UK if you are limited to say a 40Mb or 80Mb download and whatever upload, when your adsl router/modem connects or negotiates a speed (max DSLAM throughput), even if you could negotiate a 100Mb speed, you would be throttled to whatever you package speed is and then with things like TR069 (https://en.wikipedia.org/wiki/TR-069) they can remote control your router. So that will include disconnecting your ADSL connection, reconnecting and giving you a new IP address if you dont pay for a fixed ip address. One ISP I tested could reset the connection and give you new IP address every second, it was literally as quick as the device could handle getting the new ip address in bridge mode.
AFAIK the adls cabinets also have a separate RF communication channel possibly as an independent backup if the mainlines go down but power still remains.
I know if the engineers so much as opens the door to a cabinet, it phones home possibly over the RF or maybe using both network and RF, havent established that yet, but things are quite joined up here from what I've been able to tell.
Other factors will which affect the DSL speed are the stability settings, so do you have little to no interference and error checking for max speed or do you go cautious and have lots of interference mitigation enabled on the adsl modem/router. Think of adsl as loads of radio stations all transmitting down a wire, to get more speed you tune into and listen to more radio stations all at the same time. For slower speeds you tune into just a couple radio stations. The frequency of the "radio" station also counts, like listening to poor radio quality on Long wave which can bounce around the planet, Medium Wave which can cover a sizable area or Frequency Modulation which you need to be close by to get. Same as mobile phone 2G, 3G, 4G & 5G. The bubble or area of 2G is massive, where as 5G is tiny, but that tiny bubble can transmit alot unlike 2G which is slower. Same sort of concept just transmitted & contained down a wire instead of over the air.
One reason hard coding the route in the modem is it can prevent random accesses to the GUI from malware in the computer or in other network devices and then other network security can come into play.
There's a lot of info in this post, and will be similar and thus relevant for hacking other devices.
If its vulnerable (I'd first look at wireless comms and remote open ports) I'd just get a better/different router instead of this one. There's some quality ones out there. AVM sells a Fritz!box which has DOSCIS, and if you don't fancy Fritz!OS (fair enough) you can install something else like OpenWrt. If provider doesn't deliver these, QQ about it in public, or switch provider.
I used to run my own PCI DSL modem (read: router) on a Soekris. Sanoma S518 was ADSL1 only and difficult to get working FOSS drivers for (IIRC didn't work on *BSD). Sanoma S519 worked for ADSL2, but used a RTL8139 externally while it ran proprietary firmware for the DSL part. I ditched it when I got VDSL(2). Later on, I found a Draytek Vigor (IIRC with the numbers 130 or 132 in it) which did work with VDSL but I already gave up and ran a Fritz!box instead. Which used to be hackable, in the sense that you could get root on it, and mod it ('Freetz').
A tip, since i see a UPC modem: The puma6 chipset has a bug which causes various latency issues and connection drops on Wifi. Better use a different WifiRouter behind the modem.
Really interesting and I have no idea why it has to be this hard. Fun nonetheless, though cynically, I was holding out hope that hope that after all the work he'd find the feature in the web interface.
I do all my routing on my router. The cable modem is just the box that turns the square cable into the round cable.