You are on page 1of 23

Haxorware Modem Firmware

This book is intended to be a manual for Haxorware which is a custom cable modem firmware.
This is a legal firmware change.
This book is NOT intended to demonstrate or condone any illegal practices.
DO NOT add information to this book regarding ANY theft of service!

Overview
Current Revision: 1.1 R39
Compatibility: All BCM3349 chipset based modems (Including SB5101/E/i, SB5102/E/i, Webstar
DPC2100R2, RCA DCM425, Ambit 250/255/256)
Versions: DIAG & LITE.
DIAG
• Might not perform optimally on a 8MB ram modem (16/32mb upgrade recommended).
• Based on sb5102u/n firmware (which includes diagnostic output, console and SPI support)
• Much more Verbose to troubleshoot issues.
• Standby button does not work
• Memory leak on SPI modems fixed in Rev39
LITE
• Based on sb5101e firmware
• Does not support SPI flash based modems.
• Crippled shell & much less diagnostic output in telnet/serial.
• Static IP option is missing because there is no ipconfig command in the shell anymore (and
the entire /ip page is missing too).
• The standby button on a 5101 works in LITE
Haxorware Modem Firmware/Installation
Installation varies based on your available method. Some methods require different hardware
modifications such as a Jtag or serial connector (outside the scope of this pdf) ALWAYS backup
current firmware. If you flash a 2mb dump over the existing firmware you will lose the modems
original certificates forever.

JtagUtility Instructions:
If your modem is currently running infinite firmware it is recommended to restore it to stock, like it
was out of the box. To do this you restore your 2MB backup that i hope you made before flashing
infinite. The commands are as follows:
detect
ldram 9fc00000
(A File Open dialog will appear, find your 2MB backup file and click open)
program 9fc00000 200000

It is recommended you make a backup before flashing haxorware (or any other hacked firmware)
onto your modem. To create a 2MB backup with JtagUtility, enter the following commands:
detect
getram 9fc00000 200000
save 9fc00000 200000
(A save as dialog will appear, choose where to save your 2MB backup)

To program haxorware to your modem using JtagUtility, issue the following commands:
detect
ldram 9fc10000
A File Open dialog will appear, find the haxorware firmware file you want
(haxorware11revXX-XXXX.bin) and click open
program 9fc10000 130000

After the flashing is complete, reboot your modem and enjoy Haxorware

Flashing over serial:


Diagnostic cable instructions (requires noisy bootloader):
Set your computers ip to 192.168.100.10
Set up a TFTP server with haxorware11revXX-XXXX.bin in its root
Connect to modem with hyperterminal or putty (with changed CR/LF to LF)
While modem is turning on press p (you should get a prompt)
If you do not get a prompt for pressing p, your modem does not have a noisy
bootloader, and you will have to use JTAG
Set the Modem IP to 192.168.100.1
Leave everything else at their defaults (just press enter)
When you get at the bootloader menu press d
Enter 192.168.100.10 as TFTP IP
Enter haxorware11revXX-XXXX.bin as filename
It should download (the dots indicate progress)
When asked what image to save to, answer 1
Answer y to the "Store uncompressed image" prompt
press b once you are back at the menu to boot the modem
USBJTAG Instructions:
If your modem is currently running infinite firmware it is recommended to restore it to stock, like it
was out of the box. To do this you restore your 2MB backup that i hope you made before flashing
infinite. The commands are as follows:
detect
ldram 9fc00000
(A File Open dialog will appear, find your 2MB backup file and click open)
program 9fc00000 200000

It is recommended you make a backup before flashing haxorware (or any other hacked firmware)
onto your modem. To create a 2MB backup with usbjtag enter the following commands:
detect
getram 9fc00000 200000
save 9fc00000 200000
(A save as dialog will appear, choose where to save your 2MB backup)

To program haxorware to your modem using USBJTAG, please overwrite your usbjtag.def with the
one from this archive. After that, start USBJTAG and choose the SB5101 profile (Tools->Config
will open the profile selection dialog) Then issue the following commands:
detect
ldram Firmware
(A File Open dialog will appear, find haxorware11revXX-XXXX.bin and click open)
program Firmware

After the flashing is complete, reboot your modem and enjoy Haxorware

USBJTAGNT Instructions:
If your modem is currently running infinite firmware it is recommended to restore it to stock, like it
was out of the box. To do this you restore your 2MB backup that i hope you made before flashing
infinite. The commands are as follows:
detect
ldram 9fc00000
(A File Open dialog will appear, find your 2MB backup file and click open)
program 9fc00000 200000

It is recommended you make a backup before flashing haxorware (or any other hacked firmware)
onto your modem. To create a 2MB backup with usbjtag enter the following commands:
detect
getram 9fc00000 200000
save 9fc00000 200000
(A save as dialog will appear, choose where to save your 2MB backup)

To program haxorware to your modem using USBJTAGNT Start USBJTAGNT and choose the
SB5101Mod profile (Tools->Config will open the profile selection dialog) Then issue the following
commands:
detect
ldram Firmware
(A File Open dialog will appear, find haxorware11revXX-XXXX.bin and click open)
program Firmware

After the flashing is complete, reboot your modem and enjoy Haxorware
Upgrading from previous shelled firmware (infinite) or
Haxorware 1.0
Set your computers ip to 192.168.100.10
Set up a TFTP server with haxorware11revXX-XXXX.bin in its root
Make sure the haxorware webgui isn't currently open
Connect to modem with hyperterminal or telnet to the IP 192.168.100.1
Enter your username and password
cd /ip
ipconfig 1 release
y
dload -i 1 -l -f 192.168.100.10 haxorware11revXX-XXXX.bin
y
cd /
reset

Haxorware 1.1 should now boot

Upgrading from Haxorware 1.1


Make sure the modem's cpu usage is low, so if it's currently scanning for
downstream make it stop by going to the web shell and doing
cd /docsis
scan_stop
The safest time to do the Firmware Upgrade is when the modem is fully
operational and online.
Then use the Firmware Upgrade page on the WebGUI, find haxorware11revXX-
XXXX.bin and upload it to the modem in the Firmware section
Reboot the modem using the WebGUI or otherwise, and the new version of
Haxorware should now boot
Haxorware Status/Overview

HFC Parameters
Mode DHCP assigned address or Static
IP Address Your currently assigned IP address
Subnet Subnet mask applied to your IP address
TFTP Server "Provisioned" Config file name assigned by your isp
TFTP Filename “Provisioned" Config file name assigned by your isp
ToD Server "Provisioned" Time Of Day server IP assigned by your isp to synchronize against.
Configuration file Name "Actual" Config file name in use. when using one different from what
was assigned by the ISP the filename shows here.
Size Config file size 'Compliance ' DOCSIS version compliance of this config file.
Haxorware Status/Signal

Downstream
Frequency This is the frequency your downstream channel is on
Status Whether the channel is locked or in process
Annex DOCSIS or EURODOCSIS
Modulation Modulation rate such as QAM256, QAM16, etc. Higher is faster.
Symbol Rate Number of symbols per second.
Receive Power Downstream channel signal strength measured in dBmV.
Signal to Noise ratio SNR measured in Decibles (Higher is better)

Upstream
Frequency This is the frequency your upstream channel is on
Channel ID Upstream channel number
Status Whether the channel is locked or in process
Mode TDMA or ATDMA. (ATDMA is faster)
Symbol Rate Number of symbols per second.
Transmit Power Broadcast signal strength to the head end at your ISP measured in dBmV
Haxorware Status/Event Log

Displays Events and errors in operation


Haxorware Configuration/Settings

settings
Factory Mode This forces the modem to behave as if it was supplied by the ISP and bypasses
customs settings.
Disable Firmware Upgrades This option will force Haxorware to ignore new modem firmware
pushes from the ISP. Unchecking this could compromise your Haxorware install.
Force Network Access
Tftp Enforce Bypass If your ISP enforces Tftp config file this option will tell the modem to
download the supplied config file at the right point - even if you are using another one.
Disable IP Filters on startup IP filters are used by some ISP's to block traffic of certain types on
certain ports (such as if your ISP blocks port 80 to prevent you from hosting a web server). This
option bypasses them entirely
Timeouts
Ignore T1 (No valid UCDs)
Ignore T2 (Ranging Opportunity)
Ignore T3 (Ranging Response)
Ignore T4 (Station Maintenance)

Administration
Control Panel IP Address Set a different IP than standard here if necessary
DHCP Server Check this to assign the IP to WAN on router or to PC. Uncheck this ONLY if you
have it set manually.

WebGUI
Password protection enable or disable Password protecting the GUI from tampering.

Telnet Server
Current state Whether Telnet services are running
Run on startup Whether Telnet should start when the modem is booted, or only when manually
enabled.
Haxorware Configuration/Frequency

Annex - Choose DOCSIS or EURODOCSIS based on your region.


Plan Choose the type matching your region.
Preferred DS Freq 1, 2, & 3 is displayed in "Hz" not "mhz" (for example - 600mhz would actually
be entered as 600000000) These are the frequencies checked first before scanning.
Upstream Channel This is the preferred upstream channel to try before scanning for available
channels.
Haxorware Configuration/Addresses

Addresses
HFC MAC This is the Mac address your ISP will see for this modem. Changing this to a number
that does not have factory certificates loaded will generate a self signed certificate. Most ISP's do
not accept self signed certificate in BPI+ docsis 1.1 mode. Click copy from certificate to change
back to mac for current certificate.
Ethernet MAC This is the mac address your computer or router sees when querying the modem via
ethernet
USB MAC This is the mac address your computer or router sees when querying the modem via usb
Serial Number This is the Serial number for the modem presented upon query

Certificate generation
Certificate type When generating certificates this is the type of certificate preferred
Haxorware Configuration/Config File

Force Config File


Server IP This is the IP address of the TFTP server hosting the config file you want to run.
File name This is the filename of the config file you want to pull from the above IP

Autoserve
Autoserve Config File Disabled until new config is uploaded. Some ISP's can be tricked to allow
you online using a config file saved directly to your modem instead.
Store new config Where you upload a stored config file.
Haxorware Configuration/Baseline Privacy

Baseline Privacy
BPI Baseline privacy version running. BPI 1.1 must be enabled to use docsis 1.1 config files with
valid certificates. Bypass must be enabled to use 1.1 configs with self signed certificates but will not
work on all providers

Backup/Restore
Backup Backup your current certificate set
Restore from filesystem Restore uploaded or previously backed up certificate sets
Restore from file

Certificate Download
Download individual certificates

Certificate Upload
Upload individual certificates here
Haxorware Advanced/Static IP

Force Static IP Check this to force your modem to override any DHCP assigned Information to the
contents below. Note that this does not stop your provider from assigning your IP to another user
since you did not pull from their pool.
Suppress DHCP Requests Check this to ignore any requests from the provider to provide your
modem with a DHCP lease
IP Address Enter your desired IP Address here
Subnet Mask Enter the applicable subnet mask here
Gateway Enter the appropriate gateway here
TFTP IP Enter your desired TFTP server IP address here
TFTP Filename Enter the Configuration filename on the TFTP server provided you wish to run
ToD IP Enter your desired Time Of Day server address here. This is generally the same as the TFTP
server IP
Haxorware Advanced/Stealth

Modem Identifiers
Vendor Enter the manufacturer you want to emulate or tell the ISP you are running
Model This is where you enter the Model number information you want to supply
Software Version This is where you enter the firmware version you want to supply
Override Hardware Version Check this to supply a different hardware version to the vendor other
than what it is.
Hardware Version Enter the hardware version you want to supply here
Override Bootloader Revision Check this to override the default bootloader revision sent to your
ISP
Bootloader Revision Enter revision information here

SNMP Agent
Server Port Port number for snmp scans
Disable SNMP Agent after registration Check this to disable snmp probe requests from your isp
after initial registration when the modem goes online (recommended)
Redirect SNMP Traps When SNMP requests are sent redirect them to another device and port
(such as another modem on the network)
IP IP address to redirect to
Port Destination port at redirected IP
Haxorware Advanced/Downloader

This page allows you to download config files from your ISP's TFTP server to examine them with
programs such as vultureware or autoserve them from the modem.
The IP address and Filename may be entered here, and clicking download will prompt you with a
file save dialog box.
Haxorware Advanced/File Manager

Free Space
Before Defragmentation Size in KB before a defragmentation is performed
After Defragmentation Size in KB after a defragmentation is performed

Haxorware Configuration
Config File This allows you to Download or Delete the existing config file stored in the modem
File Size Filesize of config file in Bytes
Entries Number of entries in the config file

Restore From File


'Files' Previous backup files or uploaded files are shown here which can be downloaded or deleted
in the following format:
CMXXXXXXXXXXXX.tar (size in bytes) (option)Download Delete

Upload New File


Choose file dialog prompted when this is clicked. Click upload after picking file to upload
Haxorware Web Shell

Any Shell commands can be entered here. These are generally commands you might use when at a
file system shell (such as telnet) without having to open an actual session.
Haxorware Backup and Restore

Here you can Backup either your nonvol information, or do a FULL firmware backup (2MB) to a
file. When you click backup you get prompted with a file save dialog.
You also can restore a previously backed up Nonvol here in case of issues
Haxorware Firmware upgrade

Firmware upgrade
Firmware Image Pick the file you want to upload. Be sure to pick the right one. Haxorware DOES
however have provisions to prevent drastically wrong choices (such as accidentally picking a 10kb
text file)

Bootloader upgrade
Bootloader Image Update the bootloader only (such as if you need to load the noisy bootloader to
diagnose issues)
Haxorware Factory Defaults

clears all dynamic settings such as preferred downstream frequencies, upstream channel IDs and
their power levels.
Haxorware About

Information about Haxorware


Haxorware Reboot
Modem reboot page

Relevant Links
• http://www.sbhacker.net
• http://www.haxorware.com

Original idea educate taken from the wiki article here


http://en.wikibooks.org/wiki/Haxorware_Modem_Firmware