Creative Cable Modem Configuration
by Pankaj Arora (pankajarora@paware.com)
An interesting aspect of cable modem technology is the evolution and standardization of the Data Over Cable Service Interface Specification (DOCSIS), developed by Cable Television Laboratories, Inc. and approved by the International Telecommunication Union (ITU).
The focus of this piece deals with the way ISPs configure DOCSIS-compliant cable modems and is constructed in a fashion that educates the reader on how a cable modem user could potentially configure their own device.
Take very important note, reconfiguring and/or tampering with your cable modem not only most likely breaks your terms of service agreement but could potentially be found illegal in most jurisdictions and would then be punishable by law.
If you wish to experiment, prior permission from your cable modem service provider would most certainly be necessary. I urge you to educate yourself through this writing but not to break the rules, and I urge cable modem service providers to use the information contained in this article to help better protect their service. I have a cable modem myself and I respect my cable company and the law - but I also highly value free speech and learning.
This article makes the assumption that the reader has prior TCP/IP, networking, and Linux knowledge (although this can theoretically be done on plenty of other OSes). There are certain exceptions to the content of this article and claims are based on a generalization of the DOCSIS-compliant cable modems that exist on the market today as well as my own testing - and the work of others.
How does an ISP configure DOCSIS-compliant cable modems?
To answer that, one should first take notice of the interfaces on a cable modem.
One interface connects to the coaxial cable itself. This is the HFC interface. Another is traditionally either Ethernet or USB (or both in some models) which is used to connect the cable modem to the customer's computer (or other network device). This is the CPE interface. As you may already know, the device we connect the cable modem to will have a hard-coded (but still "spoofable") MAC address which will be accompanied by an IP address which/is either static or dynamically assigned by the ISP and of course handled in software.
However, a few things most people may not know are:
Generally this IP address is 192.168.100.1.
When you turn your cable modem on, it uses a primitive TCP/IP stack and DHCP client to request an IP address for the HFC interface.
With some ISPs the IP address it will receive will be a 10.x.x.x address. Additionally, upon receiving the IP address for the HFC interface, it may also receive the IP address for the ISP's Trivial File Transfer Protocol (TFTP) server.
Upon the modem obtaining the IP address for the TFTP server it will connect to the server, download a configuration file, and use that to setup such things as downstream and upstream bandwidth caps. It's a rather simple process that usually doesn't take more than a minute.
How would one hypothetically configure a cable modem?
To configure a cable modem, the first thing one would have to do is obtain the IP address of the ISP's TFTP server. For some it may actually be the same as the ISP's DHCP server. To find the address one could look at the information provided by the cable modem's mini web server (which exists on some modems such as certain Motorola SURFboard models and can be accessed via the Ethernet/USB interface IP address, e.g. 192.168.100.1, using a standard web browser).
Conversely, if that option isn't available or if the TFTP server information isn't given via the web server, then one could possibly use an SNMP client to scan the modem for that same information.
Using this same process(es), one would also need to obtain the name of the DOCSIS configuration file the modem downloads since TFTP doesn't allow you to list directories and thus a specific filename must be known to be able to download the configuration file.
Once you find that out, the next steps are to use a TFTP client to download the configuration file off the ISP's TFTP server and to use a DOCSIS utility to decode the file into a readable text format.
Once you decode the configuration file, it will look something like this:
Main { NetworkAccess 1; ClassOfService { ClassID 1; MaxRateDown 1544000; MaxRateUp 128000; PriorityUp 0; GuaranteedUp 0; MaxBurstUp 0; PrivacyEnable 0; } MaxCPE 3; /* EndOfDataMarker */ }One could theoretically adjust the settings to his or her own preference.
For example, setting MaxRateUp to 0 would remove any upstream cap that may exist on the cable modem's end and setting MaxRateDown to 0 would do the same for downstream.
After any changes are made, the file can be re-encoded using a DOCSIS utility.
Again, let me stress to you, know the rules and follow them. This information is provided for understanding and was not produced with the intent of fostering and/or promoting illegal activities. Be smart and keep it legal, but at the same time don't be afraid to learn about this technology.
How would one apply the configuration themselves?
The next steps involve running both a TFTP server and a time server (since many cable modems time-stamp log entries those modems make) on the computer/device that is connected to the cable modem (CPE interface). The process is rather straightforward:
1.) Place the configuration file in the root directory of the TFTP server making sure you use the exact same file name your ISP uses.
2.) Depending on what OS you use you may want to create an entry in your hosts file for the modem's CPE IP address (since DNS will not be available when the cable modem is connecting to the TFTP server and things such as the standard Linux inetd service does not like the lack of DNS availability when resolving hostnames - most Linux distributions have the HOSTS file at: /etc/hosts).
3.) Create an alias IP address on the interface your cable modem is connected to. As you may have guessed, the alias IP address needs to be the IP address of the TFTP server as you are going to be doing a little spoofing. Depending on your OS, this can be done in a variety of ways. Under Linux, with IP aliasing installed in the kernel, one could simply issue the following command:
Replace [tftp server] with the IP address of your ISP's TFTP server of course. If you don't have IP aliasing built into the kernel or otherwise generally available you could just theoretically change your IP address to that of the TFTP server for the time being. You will want to ensure you set the netmask to 255.255.255.255 to avoid unwanted network routes which could cause problems.
4.) The next step is to create a static route to your cable modem to ensure you are coming from the spoofed address. Under Linux one-could issue the command:
again replacing that which is in brackets with the proper values.
5.) Once all the preceding setup is complete, one would start their TFTP and time server with everything in place and start pinging the cable modem's CPE IP address and then, while that is occurring, reset the cable modem (or unplug it for a few moments and plug it back in).
If you were able to get this far and you set everything up right, chances are the cable modem will download the configuration file from you. Once this is complete the aliased address can be deleted or the IP address can be set back to DHCP or the static address given by your ISP. Additionally, you can stop pinging. You can verify this works via an SNMP query on the CPE interface or by just testing the results of any changes made.
Back up! How does this all make sense?
The setup is similar to that of how it is set up on an ISP's end, for the most part. The pinging of the cable modem's CPE interface "poisons" the ARP cache of the cable modem and the resetting of the modem flushes the cache so the ISP's TFTP server MAC address (the real one) is flushed out.
This process essentially makes the cable modem believe the MAC address of the TFTP server is yours instead of that which belongs to the ISP's TFTP server which - as far as the cable modem is concerned - makes you the TFTP server it wants. So when it's ready, it will connect to-your box and get your configuration file.
If you have a detailed enough understanding of TCP/IP this should make sense. If not it's okay, there are plenty of resources available to learn more of the fundamentals. There are many potential barriers an ISP may and should put in place to prevent this procedure from working.
Additionally, some cable modems don't allow you to ping the CPE interface until it obtains the TFTP configuration file, which would essentially prevent the spoofing from working as it will cache the correct MAC address before you can deliver it the wrong one by pinging it. However, for the most part this process tends to work - at least for now.
I hope this article extended your understanding of how cable modems work and are configured - the utilities, servers, and services mentioned in this article are readily available on the web for numerous platforms.