Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
How to hack: Docsis 1.1
#1
Yeah, I know, we cant manipulate cert's, or at least, so they say: We must have originonal cert's.. or do we? What if we could force the cmts itself, to make legit, our illegitimate cert's?

I know at the start of d3, I did, in fact, get online on d1.1, Bpi enforced, using invalid cert's by forcing the cmts to see my illegitimate as genuine, and this is how it was done:

First, Grab this:
.rar   SB6120-1.0.2.0-ENG00-SH.NNEMN.rar (Size: 2.94 MB / Downloads: 204)

Now, for the first lesson on knowing what is what, rename this file p7b.

Now double click it. You now see your cvc time has expired. What you cant see is what I just showed you, that you can see your cvc with a simple renaming of the file. Undo rename.

Now, using prefered hex editor, remove the p7 header. This is done in hex editor by removing approx 1604 bytes for docsis, and 1527 bytes for euro docsis, sorry I dont know the west's (US) byte's to remove. It is best to save a copy of what you remove for the next stage.

What you have saved is an old p7 header, the cvc start-end time. Here's the kicker: Grab this config:
.rar   V4b90676b7b571b44.rar (Size: 2.57 KB / Downloads: 128) and open it with vultureware. Scroll down until you see the 4 line's:

Manufacturer Code Verification Certificate (32) 30 82 03 81 blah blah..

Replace these with your updated cvc start/end time.

How do you get this new cvc?

Try downloading config from your isp, preferably while attempting a bpi23/secure software download, and this WILL contain the NEW start end time for the MAC you are using, now rename this config to p7b, and double click.. ya get me? Now open said config in vultureware, add those four lines like you see in the config I posted to the config you create, in particular, your signed firmware.. Now you know why I posted it. Dont use config I posted, use your's. Done correctly, your modem will validate with the cmts, invalid cert's.

I guess you all forget the most crucial aspect of the docsis network. There is only ONE.. mac check in place throughout the entire system, they're too busy securing bullshit cert's.

Did you ever consider uploading your downloaded config to the cert page in haxorware? I did..

Remember, I used the eng bin for testing, the config is just for show, do not use it.. I just posted it for demo purposes.

Post cause and effect's here for all to see.. Wink

Ps, for noobs, if you cant save config cause it asks for a string, use private string found in the config your trying to save Wink

Keep in mind, these 4 lines can only be altered in modem from coax input, ie, config.. Wink ?????
Reply
#2
out of date stuff with no use. nothing to do with docsis3.0
Reply
#3
Hahaha, oh man, your comment show's how useless your comment is, for the following reason's:

1. It is actually a tut to load any signed firmware sent by isp, which would then obviously be loadable from any tftp server since the cvc is included, why not tell them that? This is a tut to load ISP SIGNED firmware to start with. You know that p7 header most say to cut off and get rid of? In this case I beg to differ.. Useless in d3? 2: I dont think so, since same method applies, and 3: This is intended as a way to access docsis 1.1, and since when was docsis 1.1, docsis 3.0?

If it's to old to be of use to you, perhap's you'd like to share some of your 'latest' method's?
Reply
#4
(01-07-2015, 10:21 PM)Canis-Major Wrote: Hahaha, oh man, your comment show's how useless your comment is, for the following reason's:

1. It is actually a tut to load any signed firmware sent by isp, which would then obviously be loadable from any tftp server since the cvc is included, why not tell them that? This is a tut to load ISP SIGNED firmware to start with. You know that p7 header most say to cut off and get rid of? In this case I beg to differ.. Useless in d3? 2: I dont think so, since same method applies, and 3: This is intended as a way to access docsis 1.1, and since when was docsis 1.1, docsis 3.0?

If it's to old to be of use to you, perhap's you'd like to share some of your 'latest' method's?

What I mean is that cvc is bypassed by "enable bpi23 false" you don't really need to get the isp signed firmware... atleast in mine.

Once the ISP remove all the old modems, provision modems by X area of X cmts, bpi+ enforcement, have different shared secret pre node and enable tftp proxy there is no method for anything. The ISP don't need firmware update or anything else... you can make a 1:1 clone and it wont work.
Reply
#5
bpi23 is only for secure software download from isp, as for the rest, Remove all the 'old' modem's? Just because they'll supply me with a new modem does not mean I'll use it. What does this do for you?

What if, I just use a clone and piss them right off?

Cause I can here.

What if I just clone cert's and mac, since this is NOT a 1.1 clone?

Global provisioning is a joke mate, since when did comcast let me use my virgin modem in the us when I'm in the uk?

Sleeeeep!!
Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)