A Word of Warning from a Caught Uncapper (Autumn, 2002) ------------------------------------------------------- By Kris Olson Bored during my summer, I thought I would take this project on. I began my research on June 26, before 2600 published the article on uncapping. Through various methods (mainly IRC) I talked to several people and finally figured out how to uncap my modem. Well, it wasn't as easy as it seems. I went to a lot of trouble that in the end left me without cable and nearly in jail. My ISP, like many, uses a system called QoS, or Quality of Service. This means a few things. 1. You can't connect without a config that the ISP doesn t already have (i.e., you can't create a config file with a 10mbit/10mbit line if the cable company only offers 400/200 800/400 and 1.5/512). This means in order to uncap, you can only uncap to a better service plan (i.e., going from 400/200 to 1.5/512). 2. To uncap to a better service plan you must get the config for that service plan, as making one with those caps often will not work. Take note, this config file has a different name than the one sent to your modem, and since TFTP protocol doesn't allow directory listing, you must either have once used the faster service and seen the config file, or you have to know someone who has it who can help you out. Should you manage to get this config file, your problems are still not over. 3. The QoS then checks your modem s MAC address every 10 to 50 minutes (depending on the size of your node) to make sure that the parameters set in your modem are the ones that you pay for. Note: the MAC cannot be changed because you have to register your MAC with the ISP, so they inevitably know who you are. To get around the QoS resetting your modem, one may think Well hey, let's just change the SNMP ports so they can't send the reboot command to me! Hah! That pisses them off like nothing else and yes, they can track that. All it takes is about a day to find your port. The default SNMP ports are 161 and 162. I changed mine to 9999999941 and 9999999942. In two days they were once again resetting via SNMP. 4. So you figure, "Well, that means I have one or two days of uncapped modem, right?" Wrong. There is another way they can reset you that you can do nothing about. In order for your modem to stay connected to the server it must "ping" the server and get responses back. I say "ping" in quotations since it is not your normal 52 byte packet ping. It is a special CMTS type ping. What the ISP can do, should they notice that you are indeed using a faster config, is "suspend" the "pings," meaning that they are lost, and none come back to the modem. This will force an "HFC: Async Error Range Failed" error on your modem's log, which will be followed by "HFC: Shutting Upstream Down," and then "BOOTING: (firmware version)." So now, this doesn't seem that bad. You may be thinking, "Why is this guy even writing this stuff; if there is a will there is a way." That is true, but my purpose is to show you that if your ISP does use QoS (examples of some that do are: Blueyonder, ATTBI, Cableone, Charter, Comcast, and NTL), then if you ever attempt to uncap, they will notice and they will call you. I received my first call the morning after I requested tech support to come out and fix the signal strength of my line. (It was way out of spec and kept resetting my modem.) Well, as protocol they watch your line to see what they can diagnose before the tech arrives at your house. Well that morning (the 10th of July) I uncapped and within ten minutes I had a call from the headquarters of my ISP, some 600 miles away. This was a "tap on the wrist" type conversation. They said basically, we see that you are uncapping, and that violates our Terms of Service agreement. Don't do it again. So I didn't for a while. A couple of weeks went by and I used Ethereal, a common network "sniffer" to determine whether or not my ISP was watching my MAC address. Later I learned that they were on the entire time and when they saw me "sniffing" for info, they simply hid themselves behind the IP address 255.255.255.254. Not knowing that information, I decided it was safe to uncap again. And so I did and continued to be reset with HFC errors. I tried various methods to get around it: installed hacked firmware, sent various SNMP commands, even attempted to fake a CMTP server so that the CM would send the "pings" to a computer on my LAN, all to no avail. So when my modem would go back to normal, I would send it a new config, and the process went on and on and on like that for two weeks or so. I left early on Friday morning for a little weekend getaway. While I was out of town, I didn't even think about the status of my cable. No, I did not leave it uncapped when I left the house, but the damage had already been done. My ISP had all the evidence they needed to shut my cable off, and press misdemeanor charges, mainly based on cyber theft. I returned to find a message on my answering machine from an "Internet Engineer" at the ISP s headquarters. He was not very pleased. The message was over 15 minutes long and contained a great deal of threats and comments obviously designed to scare an uncapper. It worked. I was terrified. After hearing the message, I went out to check the mail. In there was an envelope from my ISP containing a "Declaration of Termination of Service." In this letter were several items, including possible criminal charges to be pressed, two pages detailing every time I uncapped from July 10 to the present, and a long, long list on how I violated the Terms of Service with my ISP. Sure enough, when I went to contact the Internet Engineer by email, (the only contact information that was listed), my Internet service did not work. As a routing check, I looked at my modem's log file only to find this disturbing message: 7-Information D509.0 Retrieved TFTP Config TRMNT.cm SUCCESS. It was clear. My service had been terminated. But my problems were not over yet. The following day (August 5) I received another call from him, telling me that the ISP wanted to press charges. As soon as I was off the phone I immediately called my lawyer and told him the entire situation. My lawyer spent the rest of the day on the phone with my ISP and came to an agreement that for the two months that I uncapped, I would have to pay for the better service. In the end, uncapping got me these final results: Pros: * 200+ KBps downloads (needing to be reconfigured every 35 minutes). * 100+ KBps uploads (needing to be reconfigured every 35 minutes). Cons: * No more cable Internet. * Almost got charges pressed. * Ended up wasting about 150 hours of my life to no avail. * Had to deal with really pissed off nerds with power. The choice is up to you. This was just my experience.