Included in this pack is all the software you will need to uncap your cable modem.

Below are the instructions on how to perform this hack. Written by DerEngel provided by
MonkeyWrencher.
E-mail Monkeywrencher@theoryshare.com

How To UnCap Motorola Surfboard Cable Modems

Step by Step with Pictures (By DerEngel)

Version 2.0

Incase your not familiar what this is, Cable companies put “Caps” on the
cable modems of the customers on their systems. These caps are enforced to
ensure everyone has a fast and reliable connection to the internet. Or cable
companies wants to Tier your service, for example sell you certain speed
configuration at a price but also offer faster configurations for more. These
Caps tell the modem how fast it can Send and Receive data.

The original way to uncap a DOCSIS modem, is to change the modem’s

configuration file on startup with your own. You see, a cable modems speed
settings (and some other settings) are encoded into a standard DOCSIS
config.
Which the modem downloads when it boots up.

When a cable modem comes online, it talks to a Universal Broadband Router

(URB) and the URB tells the modem to download a certain file from a
server. The first process involves getting this information. The config file is
stored on a TFTP Server. Once your modem downloads this config, it
processes it and if the CMTS (Cable Modem Termination System) is
successful, your modem will become online.

So to uncap your modem, you need to change this file. Surfboard modems,
as well as 3com Sharkfin modems have a big flaw in the original firmware’s.
When the modem starts up, bridge forwarding from the Ethernet port is
enabled. If you have connected a computer with the TCP/IP protocol’s
address set the same as the cable systems TFTP address, the modem will
request the configuration file from the Ethernet port instead of the coaxial
connection.

Rumors have spread around that this flaw in the system was actually put
there in testing when the modems were being designed and manufactured.
That is why this exploit of the modem usually only works with Surfboards,
 because most cable modems will not request the config file from the Ethernet
port.

Once your modem has downloaded the config from from you, the modem
will function just as normal, however the speed settings will be changed.
Keep in mind that your speed can never go faster than you can physically
get. Noise to decibel plays a big part in this, if you are 10 miles away from
your ISP (or from your local NODE’s Coax to fiber Router) you will
probably surf slower than someone who is 1 mile away.

This guide will show and explore how to exploit this and take advantage of
your cable modem. Enjoy

STEP 1:

Step 1: Gather information about your ISP's Cable System

In this step, we gather information about your Internet Service Provider's server. First
you need to know your TFTP server. A TFTP server is where your ISP keeps certain
files, configs, or firmware updates etc. An ISP might have more than one TFTP
server. Next you need to know your boot files name. A Boot file is the file that your
ISP sends to your modem when if first connects to the service. The boot file is
encoded with the MD5 algorithm fingerprint. (its a file protection scheme used over
networks) This file contains many values, which we will discuss later.

Your going to need to know a few things.

• Your Boot File Name
• Your TFTP Server Address (usually the same as the DHCP)
• Your Current IP
I would also like to mention, that sometimes the TFTP server can be DIFFERENT
from the DHCP server. So if your modem doesn't download the file once you have
changed your IP, try to resolve another server that might have the correct IP.

First, we need to find your TFTP server, this can be done many ways.

Click for a Larger

View
 The preferred way is to use the Step 2 Software from TCNiSO.
Click Start Query, and it will retrieve the values from your
modem. Note: This is also a good way to see if you are
uncapped.

To find your DHCP server in the command prompt,

Type ipconfig /all

To find your DHCP in a web browser, open to page

http://192.168.100.1/address.html
And you should see your DHCP IP in the DHCP Server Address
table.
Note: Some modems wont display the correct information.

To find your DHCP server in Query.exe, Type Your MAC

Address into the field (Example 00:20:40:E2:CA:5C) and then
click "Fetch". Note: Query may take up to 30 minutes while it
tries to find the information.

Second, we need to find your Boot file's name.

In Query, your boot file's name should be display. (But sometimes, it does not)
DocsDiag can also show you the name of your file. A tutorial for it can be found Here.
Now for most modems, you can find the boot file name in the Logs of your modem.
The logs can be found here. http://192.168.100.1/logs.html

7-
D509.0 Retrieved TFTP Config config_silver.cm SUCCESS
Information
config_silver.cm is the Name of your Boot file (This file name WILL Vary from provider)

Note: If non of these methods work for you, jump to Step 6 for an alternative way.
Or try and use the Ethereal Solution.

How to Capture your information using Ethereal

This tutorial shows you how to grab your TFTP server IP address and the name of your
config file. Your ISP can do nothing to stop you from getting this information because it is
necessary in order for your cable modem to function properly.

Ethereal is a network interface sniffer, it sniffs network data packets. Using this application
you can view the packets your ISP sends to your cable modem.

Download Ethereal from www.Ethereal.com

Install Ethereal, note: you may have to install libraries or runtime files to run it. Once you
have it running.

Click on Capture and Hit Start, this will bring up the options window you see below.
 Make sure your Interface is your network interface card.
If you have multiple Network cards, make sure you select
the one that is connected to your modem. Next, make sure UDP
is typed into the Filter box. And finally, Check "Update list of packets in real time".

Now this process might take some time, but you will eventually see packets from your ISP
server to your modem, or to other modems. The packets you are looking for will be of
Protocol SNMP, the destination is usually 255.255.255.255. When you find the packet, take
a look at the ASCII and inside that should be concealed the IP of your TFTP server and the
config name of your ISP.

Other notes, You will also be able to pick up the packets for business modems as well, that
is, you will be able to see the config file name for faster configuration files. However,
sometimes you will only be able to sniff them if they are on the same NODE as you.

STEP 2:

Step 2: Download your ISP's configuration Or create your own.

In this step, we retrieve the boot file so that we can modify it for the modem. The
boot file controls the download speed, the upload speed, CPE (external devices that
are assigned IP's), your frequency, and some other Misc. info. Your boot file is on a
 remote server at your ISP known as the TFTP Server. Since ISP's will now try to
make this difficult for you to retrieve this file, you can also create your own.

You can use the TCNiSO Step 2 Software to download your config

You can also retrieve your config from the Command Prompt.

tftp -i <Server Address> GET <filename> C:\<filename>

For example, if your DHCP server is 24.25.26.1, your boot file is silver.cm you would
type tftp -i 24.25.26.1 GET silver.cm C:\silver.cm

Since ISP's can enable there systems to only let cable modems download the files, you
can try to "Spoof" your cable modems HFC Address. This can be done.

HFC Address Spoofing

This concept was originally derived from Byter.

The principle behind this technique is to make your computer look like your modem. The
first thing you need to know is your HFC Gateway (the one you use to browse the
internet)
You can get your HFC address by using your modems Internal Website

Go to http://192.168.100.1/address.html and write down your HFC IP Address

You can also get your HFC by using Tracert (incase your Web interface is disabled)
At the command prompt type and run tracert -d www.microsoft.com
The first IP listed should be your HFC IP (the first IP (The A Class) should start with a
10)

Once you have that information, you need to change your computers IPs.

If you need help changing your IP, read Step 4.

Change your IP to the IP of HFC Address, and then add 1 to your D Class.

For example, if your HFC Address was 10.2.65.3 then you change your IP to 10.2.65.4
Technically you could use any number in your D class, so if the number was 255 you could go to 254.

Now that you have changed your IP, you should be able to use the above programs or
methods to retrieve your config. Once you have your config you can change your IP back
or
move ahead to Step 3.

Note: When you change your IP address you may not be able to surf web pages.

You can check out the Alternative HFC Spoofing technique here.

STEP 3:

Step 3: Change your config file to the desired speed.

In this step, we take a closer look at your boot file (Config). And make necessary
changes modification to change the speed . First we will decode your file, edit it, and
then
re-encode if for your modem.

Edit your config file using TCNiSO's own config editor called Docsis32Pro (byter)
This software makes it really easy to open up a config and change the speed values.
You can find a copy of it in the Software section.

For more Advanced users who wants to play with more settings. Or to create your
own basic config file. Get ConfigEdit by need2down. You can also use this to create
a config file in the event you don't have one. In the future we will release a easy to
understand manual for all of the OID's, SNMP Objects and expressions.

Basic Config Definitions:

MaxRateDown and MaxRateUp is your download and upload speeds, these values
are displayed in bits. So 10000000 equals 10Mbits. Edit your MRD and MRU to
your likings. Do not make these values unreasonable high.

MaxCPE is the number of devices you can connect to the modem. For example, if
you dont own a router but have a hub, you can connect extra computers to the
modem.

SwUpgradeServer is the server your modem will look at to receive updates.

CmMic and CmtsMic are Check sum values for the config. Any line containing this
should
be removed.

GenericUnknownTLV, any line containing this should also be deleted.

SnmpMibObject .1.3.6.1.2.1.69.1.2.1.7.1 = 4; that is, any line that contains this, with
a number after the,
values, can be deleted or the "=" replaced with the word "Integer"

SnmpMibObject .1.3.6.1.2.1.69.1.2.1.4.1 = "public"; that is, any line that contains

this, with a string
after the values, should be deleted.

Once you edit your config, make sure you name it the same as your original, this new
file is placed in your existing directory.

STEP 4:

Step 4: Setup a TCP/IP Interface on the TFTP Server IP (Change IP)

In this step you setup a client that we will use to act as a TFTP Server which we will
then use to send your modem your config file. To do this, you need to have a
Computer that is capable of running TFTP Software. You then will need to connect
the computer to the modem through a Local Area Network (LAN)

Trouble Shooting Tip: Some times you need to unplug your modem
when you change your IP. This has been reported to work on some
machines when the normal method did not work.

In your Local Area Connection Properties, Choose Internet

Protocol (TCP/IP) and Click Properties
Make sure your Using a Specified IP Address.
Change your IP to that of your DHCP server's address.
Change your Subnet mask to 255.255.255.0
Change your Default gateway to 192.168.100.1 (That is the IP of your Motorola
Modem)

Note: Your DNS server's does not matter when uncapping.

Before: After:

Click OK and your machine will make the changes without restarting

Windows 98 Users:

To change in Windows 98 or Windows ME, without restarting, follow these steps..

First you need to disable your Network Interface Card (NIC). Right-Click on "My
Computer", go to properties. Then Go to the device managers tab and find your NIC
Card under the Network Adapters.

Find your NIC Card and click Properties. And under Device Usage, Check "Disable
in this hardware profile". Click Ok then Click Close.

Under your network properties, find your TCP/IP Protocol and Click properties.
Under the IP Address tab, Click Specify IP Address and fill in your TFTP Server IP
and Subnet mask. Next Click the Gateway tab and add 192.168.100.1. When
prompted to restart, Click NO.

Now, once you change your IP, return to the Device Manager, and Enable your NIC
Card.
Once your NIC Card is functioning again. Click Close. Proceed to Step 5.

STEP 5:

Step 5: Setup a TFTP on Your System And Upload the New Config
Now that we have a computer setup with the IP of the TFTP Server, you must setup
and install a TFTP Server. Once the Server is configured, the Cable Modem needs to
be restarted, when the modem boots up, it should download the config from the
server.

TCNiSO Step 5 (TFTP Server)

This application is really easy to use, just set your path of your config and click Start
Server. Note: This application also pings your modem while attempting to send the
file. (This is sometimes necessary for some modems.) And it also sets the Time of
Day on your modem.

You can also use tftpd32.exe. When you first run it, make sure it says "Listening on
port 69" Before you make any changes to the Settings Tab.

Click on Properties and Make the Following Changes.

Security: Non (We don't want to Authenticate your modem do we?)
Base Directory: The Directory your Edited config file is in.
Use Tftpd32 only on this interface should be set to your DHCP server.
Translate Unix file names (Unix systems don't support file names with Special
characters or spaces.)
Click OK and Minimize tftpd32.exe
Make sure your EDITED Boot file is in C:\ (Your Base Directory)

Next, all you have to do is restart the cable modem.

Unplug your modem then plug it back in. Your Power light should come on and start
Flashing. Now notice your TFTP32.exe main Window. It should Say that your
Modem is Asking for that Boot file, and your Server should Send it to your Modem.
If your modem asks for any additional files, unplug your modem Copy and Paste
your Boot file in your C: and Rename it to the file it was asking for.

As you can see, your modem should Request the file (in this case isrrlP1BW1.bin)
And
Your computer should send out the file it requests. If your modem accepts the edited
file. You modem now has the edited file and is uncapped.

Trouble Shooting Tip: If your modem requests the boot file several
times, this is usually an error. The first thing you should do, is Check
the modems logs and try to determine what that error is. If you see an
error called 1-Emergency D8.0 TFTP Complete, but failed Integrity
Check (MIC) This is the error that Invalid MD5 check is required. Try
and use the MD5 Remover from the software section. Also, some
users with SB3100's have had to ping their modems while they
restarted it. To do this go into your command prompt and type "ping -t
192.168.100.1"
 Copyright 2002 - DerEngel - CableModemHack.com in association with TCNiSO

STEP 6:

Step 6: Change your Settings back and Download

Since you can not browse the internet with the settings of your ISP you need to
change it back to the original settings. Once that is done, Download and Enjoy the
Speed.

First Restore your TCP/IP Settings

You must change your IP back to one that your ISP will allow you to have online.
You can enter your original settings in here, or Set both settings to Obtain
Automatically.

Now, Return back to your TCP/IP Settings.

Change your IP and your Default gateway back to how you had them before.

Click OK, and your computer will go should now return and should be online.

With your modem running a new config file. You should you should be able to
download and upload the maximum values physically possible. My favorite part. To
test your connection, try to upload a MP3 or a file to a friend, or go visit a very fast
website. Note: Some websites might not have enough bandwidth open for you to get
fast speeds to.
 Most Cable modems are not capped on the downstream, some are. Speeds will vary
from your location and quality of your cable. If you found this Page useful or have
ANY Questions, don't hesitate to Email me. If you want to help out, please donate 5$
through PayPal. Email Address: tcnisodonations@hushmail.com - It shows us your
appreciation for all the hard work we have put into this project. One on One help can
be available, also Visit our IRC Chan, we have much to offer for capped or uncapped
people alike.

If your Modem's Activity light is still on and you cannot seem to connect to the
internet.
Your Config file might Possibly be incorrect. Unplug your modem, Turn off your
TFTP
server, Plug back in your modem. Also, every time your modems power is cycled,
you will need to Setup a TFTP Server to Resend the the edited config. Also keep in
mind that
there is new firmware floating around that ISP's can use to re-cap you permanently.
So don't forget to check out the Firmware section.

IRC Channel is #Surfboard on Efnet

On a final note if your modem will not take the config file you are trying to send to it
even after you use the md5 hack. Try uploading your original untampered config. If it
will upload then you may be able to find faster files in your area. For faster files use those
included in the onestep program and visit fibercoax.net for a config finder. Also currently
surfboardhack.com also offers a finder called dfile thief. Have a nice day…

Monkeywrencher

Nickadavid@msn.com For msn im

And
Nickadavid on AIM

ALSO DON’T FORGET TO VISIT THEORYSHARE.COM