Haxorware Forums
What the recent security changes mean - Printable Version

+- Haxorware Forums (http://www.haxorware.com/forums)
+-- Forum: General (http://www.haxorware.com/forums/forumdisplay.php?fid=6)
+--- Forum: Modems (http://www.haxorware.com/forums/forumdisplay.php?fid=7)
+--- Thread: What the recent security changes mean (/showthread.php?tid=1027)



What the recent security changes mean - snoop911 - 27-10-2011

Anyone running a SB5100 modem with custom firmware (SB5100MoD.1.0.4, SIGMAX-BL_v2.6-LITE, etc) booting a business config image from flash, will soon realize that TWC is now using DOCSIS 1.1 (Baseline Privacy Plus Interface 56-bit dec encryption (BPI+)), and that simply telneting and dis/enabling BPI+ in the modem is pointless.

By linking digital certificates to the modem's key and mac address, this effectively stops cloning hfc macs since it does not pass authentication (Reject(pk), Reject(kek) or Reject(tek))

For some great info on this:
http://docsis.beckitrue.com/documents/cisco/initialization_wallchart.pdf
http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-self.pdf

I'm guessing there will be a surplus of cheap modems out there now, and armed with a jtag adapte, can the hardware be repurposed for something else? Is there a processor/fpga that can execute custom logic?



RE: What the recent security changes mean - drewmerc - 27-10-2011

if you can code then yes they could be repurposed using redboot(or similar) to bootstrap any kind of firmware you want (damn it redboot is ecos, so 5101 meh not deleteing it now)
anyways you'd need a vxworks bootstrap (damn i have no idea what i'm really talking about i suck at coding)


RE: What the recent security changes mean - Mordeth - 27-10-2011

(27-10-2011, 02:22 AM)snoop911 Wrote: Anyone running a SB5100 modem with custom firmware (SB5100MoD.1.0.4, SIGMAX-BL_v2.6-LITE, etc) booting a business config image from flash, will soon realize that TWC is now using DOCSIS 1.1 (Baseline Privacy Plus Interface 56-bit dec encryption (BPI+)), and that simply telneting and dis/enabling BPI+ in the modem is pointless.

By linking digital certificates to the modem's key and mac address, this effectively stops cloning hfc macs since it does not pass authentication (Reject(pk), Reject(kek) or Reject(tek))

For some great info on this:
http://docsis.beckitrue.com/documents/cisco/initialization_wallchart.pdf
http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-self.pdf

I'm guessing there will be a surplus of cheap modems out there now, and armed with a jtag adapte, can the hardware be repurposed for something else? Is there a processor/fpga that can execute custom logic?

We have been discussing TWC upgrades for a few months now:

http://www.haxorware.com/forums/thread-947.html

I heard from a local PC tech in nearby West LA, that someone has written his own flash program that enables the use of any Broadcom 3348 chipped modem to work on TWC without the use of any certs...even in Doc1.1 areas. I have yet to get in touch with this person or tested his program.




RE: What the recent security changes mean - drewmerc - 27-10-2011

(27-10-2011, 05:27 PM)Mordeth Wrote: We have been discussing TWC upgrades for a few months now:

http://www.haxorware.com/forums/thread-947.html

I heard from a local PC tech in nearby West LA, that someone has written his own flash program that enables the use of any Broadcom 3348 chipped modem to work on TWC without the use of any certs...even in Doc1.1 areas. I have yet to get in touch with this person or tested his program.

i'd guess it's like the unreleased telnet script as this is a known method to get online without certs but is easily patchable (and this is why it's not released)

i do not know what the above script contains i never asked, but i have been told about it from trusted sources (i use my own methods which does need certs so no PM's asking for it)