Included in this pack is all the software you will need to uncap your cable modem.Below are the instructions on how to perform this hack. Written by DerEngel provided by MonkeyWrencher. E-mail [email protected] How To UnCap Motorola Surfboard Cable Modems Step by Step with Pictures (By DerEngel) Version 2.0 Incase your not familiar what this is, Cable companies put “Caps” on the cable modems of the customers on their systems. These caps are enforced to ensure everyone has a fast and reliable connection to the internet. Or cable companies wants to Tier your service, for example sell you certain speed configuration at a price but also offer faster configurations for more. These Caps tell the modem how fast it can Send and Receive data. The original way to uncap a DOCSIS modem, is to change the modem’s configuration file on startup with your own. You see, a cable modems speed settings (and some other settings) are encoded into a standard DOCSIS config. Which the modem downloads when it boots up. When a cable modem comes online, it talks to a Universal Broadband Router (URB) and the URB tells the modem to download a certain file from a server. The first process involves getting this information. The config file is stored on a TFTP Server. Once your modem downloads this config, it processes it and if the CMTS (Cable Modem Termination System) is successful, your modem will become online. So to uncap your modem, you need to change this file. Surfboard modems, as well as 3com Sharkfin modems have a big flaw in the original firmware’s. When the modem starts up, bridge forwarding from the Ethernet port is enabled. If you have connected a computer with the TCP/IP protocol’s address set the same as the cable systems TFTP address, the modem will request the configuration file from the Ethernet port instead of the coaxial connection. Rumors have spread around that this flaw in the system was actually put there in testing when the modems were being designed and manufactured. That is why this exploit of the modem usually only works with Surfboards, • Your Boot File Name • Your TFTP Server Address (usually the same as the DHCP) • Your Current IP I would also like to mention. configs. First you need to know your TFTP server.because most cable modems will not request the config file from the Ethernet port. First. An ISP might have more than one TFTP server. which we will discuss later. or firmware updates etc. (its a file protection scheme used over networks) This file contains many values. The boot file is encoded with the MD5 algorithm fingerprint. Noise to decibel plays a big part in this. Enjoy STEP 1: Step 1: Gather information about your ISP's Cable System In this step. This guide will show and explore how to exploit this and take advantage of your cable modem. that sometimes the TFTP server can be DIFFERENT from the DHCP server. Next you need to know your boot files name. if you are 10 miles away from your ISP (or from your local NODE’s Coax to fiber Router) you will probably surf slower than someone who is 1 mile away. Your going to need to know a few things. Click for a Larger View . we gather information about your Internet Service Provider's server. the modem will function just as normal. we need to find your TFTP server. Keep in mind that your speed can never go faster than you can physically get. So if your modem doesn't download the file once you have changed your IP. try to resolve another server that might have the correct IP. A Boot file is the file that your ISP sends to your modem when if first connects to the service. this can be done many ways. Once your modem has downloaded the config from from you. however the speed settings will be changed. A TFTP server is where your ISP keeps certain files. exe.The preferred way is to use the Step 2 Software from TCNiSO. To find your DHCP server in the command prompt. (But sometimes.1/logs. Type Your MAC Address into the field (Example 00:20:40:E2:CA:5C) and then click "Fetch". http://192.100.168. Second. open to page http://192. A tutorial for it can be found Here.html And you should see your DHCP IP in the DHCP Server Address table. we need to find your Boot file's name. In Query. Click Start Query. Note: Some modems wont display the correct information. Note: Query may take up to 30 minutes while it tries to find the information. The logs can be found here. you can find the boot file name in the Logs of your modem.0 Retrieved TFTP Config config_silver.html 7Information D509. and it will retrieve the values from your modem. it does not) DocsDiag can also show you the name of your file. Now for most modems.168. your boot file's name should be display. Note: This is also a good way to see if you are uncapped.cm SUCCESS . Type ipconfig /all To find your DHCP in a web browser.100. To find your DHCP server in Query.1/address. this will bring up the options window you see below. Ethereal is a network interface sniffer. . Your ISP can do nothing to stop you from getting this information because it is necessary in order for your cable modem to function properly.config_silver.cm is the Name of your Boot file (This file name WILL Vary from provider) Note: If non of these methods work for you. it sniffs network data packets. How to Capture your information using Ethereal This tutorial shows you how to grab your TFTP server IP address and the name of your config file. Or try and use the Ethereal Solution. Click on Capture and Hit Start. Using this application you can view the packets your ISP sends to your cable modem. jump to Step 6 for an alternative way. Once you have it running.com Install Ethereal. Download Ethereal from www. note: you may have to install libraries or runtime files to run it.Ethereal. However. The boot file controls the download speed. STEP 2: Step 2: Download your ISP's configuration Or create your own. And finally. Check "Update list of packets in real time". but you will eventually see packets from your ISP server to your modem. we retrieve the boot file so that we can modify it for the modem. that is. the upload speed. Other notes. Your boot file is on a . you will be able to see the config file name for faster configuration files. Next. or to other modems. In this step. You will also be able to pick up the packets for business modems as well. take a look at the ASCII and inside that should be concealed the IP of your TFTP server and the config name of your ISP. the destination is usually 255.255. and some other Misc. Now this process might take some time. sometimes you will only be able to sniff them if they are on the same NODE as you. The packets you are looking for will be of Protocol SNMP. When you find the packet. If you have multiple Network cards. CPE (external devices that are assigned IP's).Make sure your Interface is your network interface card.255. make sure you select the one that is connected to your modem. make sure UDP is typed into the Filter box. your frequency.255. info. 25.cm C:\silver. your boot file is silver.26. if your DHCP server is 24. The first thing you need to know is your HFC Gateway (the one you use to browse the internet) .cm you would type tftp -i 24. tftp -i <Server Address> GET <filename> C:\<filename> For example. The principle behind this technique is to make your computer look like your modem. You can use the TCNiSO Step 2 Software to download your config You can also retrieve your config from the Command Prompt. HFC Address Spoofing This concept was originally derived from Byter. you can also create your own. you can try to "Spoof" your cable modems HFC Address.26.1. This can be done.cm Since ISP's can enable there systems to only let cable modems download the files.remote server at your ISP known as the TFTP Server.1 GET silver.25. Since ISP's will now try to make this difficult for you to retrieve this file. edit it. For example. read Step 4. Once you have your config you can change your IP back or move ahead to Step 3.2.3 then you change your IP to 10. Now that you have changed your IP.microsoft. and then re-encode if for your modem.100. so if the number was 255 you could go to 254.2. you should be able to use the above programs or methods to retrieve your config. First we will decode your file. STEP 3: Step 3: Change your config file to the desired speed. Note: When you change your IP address you may not be able to surf web pages.You can get your HFC address by using your modems Internal Website Go to http://192. Edit your config file using TCNiSO's own config editor called Docsis32Pro (byter) . Change your IP to the IP of HFC Address. if your HFC Address was 10. In this step.65.com The first IP listed should be your HFC IP (the first IP (The A Class) should start with a 10) Once you have that information.4 Technically you could use any number in your D class. and then add 1 to your D Class. you need to change your computers IPs. we take a closer look at your boot file (Config).html and write down your HFC IP Address You can also get your HFC by using Tracert (incase your Web interface is disabled) At the command prompt type and run tracert -d www. And make necessary changes modification to change the speed . You can check out the Alternative HFC Spoofing technique here.65.168.1/address. If you need help changing your IP. This software makes it really easy to open up a config and change the speed values. SNMP Objects and expressions. For more Advanced users who wants to play with more settings. You can also use this to create a config file in the event you don't have one. if you dont own a router but have a hub. CmMic and CmtsMic are Check sum values for the config. So 10000000 equals 10Mbits. In the future we will release a easy to understand manual for all of the OID's. SwUpgradeServer is the server your modem will look at to receive updates. Basic Config Definitions: MaxRateDown and MaxRateUp is your download and upload speeds. You can find a copy of it in the Software section. Edit your MRD and MRU to your likings. you can connect extra computers to the modem. MaxCPE is the number of devices you can connect to the modem. these values are displayed in bits. Any line containing this should . Or to create your own basic config file. Get ConfigEdit by need2down. For example. Do not make these values unreasonable high. any line containing this should also be deleted.be removed. In your Local Area Connection Properties. should be deleted.2. any line that contains this.69.1 = 4.69.7.3.1 = "public". This has been reported to work on some machines when the normal method did not work. that is.2.1.1.2. this new file is placed in your existing directory. Once you edit your config. can be deleted or the "=" replaced with the word "Integer" SnmpMibObject .1.1.4. values.1. Choose Internet Protocol (TCP/IP) and Click Properties . any line that contains this. GenericUnknownTLV.2. with a number after the. To do this. with a string after the values.3.1. make sure you name it the same as your original.1.6. You then will need to connect the computer to the modem through a Local Area Network (LAN) Trouble Shooting Tip: Some times you need to unplug your modem when you change your IP. that is. STEP 4: Step 4: Setup a TCP/IP Interface on the TFTP Server IP (Change IP) In this step you setup a client that we will use to act as a TFTP Server which we will then use to send your modem your config file.1.6. you need to have a Computer that is capable of running TFTP Software.1. SnmpMibObject .1. find your TCP/IP Protocol and Click properties. Under your network properties. And under Device Usage.255. Change your Subnet mask to 255. Find your NIC Card and click Properties.168. Right-Click on "My Computer". Check "Disable in this hardware profile". . go to properties.1 (That is the IP of your Motorola Modem) Note: Your DNS server's does not matter when uncapping. First you need to disable your Network Interface Card (NIC). Change your IP to that of your DHCP server's address.0 Change your Default gateway to 192.100.255. follow these steps. Then Go to the device managers tab and find your NIC Card under the Network Adapters. without restarting.Make sure your Using a Specified IP Address.. Click Ok then Click Close. Before: After: Click OK and your machine will make the changes without restarting Windows 98 Users: To change in Windows 98 or Windows ME. STEP 5: Step 5: Setup a TFTP on Your System And Upload the New Config Now that we have a computer setup with the IP of the TFTP Server. Note: This application also pings your modem while attempting to send the file. and Enable your NIC Card. Security: Non (We don't want to Authenticate your modem do we?) Base Directory: The Directory your Edited config file is in. Next Click the Gateway tab and add 192.100. (This is sometimes necessary for some modems. make sure it says "Listening on port 69" Before you make any changes to the Settings Tab. You can also use tftpd32.168. Once the Server is configured. Click Specify IP Address and fill in your TFTP Server IP and Subnet mask. Click Close. just set your path of your config and click Start Server. When you first run it. return to the Device Manager.exe. TCNiSO Step 5 (TFTP Server) This application is really easy to use. you must setup and install a TFTP Server. once you change your IP. Once your NIC Card is functioning again. when the modem boots up.Under the IP Address tab. Translate Unix file names (Unix systems don't support file names with Special characters or spaces. Click on Properties and Make the Following Changes.) .) And it also sets the Time of Day on your modem. Proceed to Step 5. Click NO. When prompted to restart. it should download the config from the server.1. Now. Use Tftpd32 only on this interface should be set to your DHCP server. the Cable Modem needs to be restarted. your modem should Request the file (in this case isrrlP1BW1. but failed Integrity Check (MIC) This is the error that Invalid MD5 check is required. As you can see. and your Server should Send it to your Modem. It should Say that your Modem is Asking for that Boot file. Also. this is usually an error. Trouble Shooting Tip: If your modem requests the boot file several times. To do this go into your command prompt and type "ping -t 192.168. is Check the modems logs and try to determine what that error is.1" . Try and use the MD5 Remover from the software section. Your Power light should come on and start Flashing. If your modem asks for any additional files.bin) And Your computer should send out the file it requests. You modem now has the edited file and is uncapped.Click OK and Minimize tftpd32. Now notice your TFTP32. Unplug your modem then plug it back in.100. The first thing you should do. unplug your modem Copy and Paste your Boot file in your C: and Rename it to the file it was asking for.exe main Window.exe Make sure your EDITED Boot file is in C:\ (Your Base Directory) Next.0 TFTP Complete. all you have to do is restart the cable modem. some users with SB3100's have had to ping their modems while they restarted it. If your modem accepts the edited file. If you see an error called 1-Emergency D8. Note: Some websites might not have enough bandwidth open for you to get fast speeds to. Now. Click OK. Change your IP and your Default gateway back to how you had them before. Download and Enjoy the Speed. try to upload a MP3 or a file to a friend. To test your connection. or go visit a very fast website. Once that is done. Return back to your TCP/IP Settings.CableModemHack.DerEngel . You can enter your original settings in here. or Set both settings to Obtain Automatically.com in association with TCNiSO STEP 6: Step 6: Change your Settings back and Download Since you can not browse the internet with the settings of your ISP you need to change it back to the original settings. You should you should be able to download and upload the maximum values physically possible. With your modem running a new config file. My favorite part. and your computer will go should now return and should be online.Copyright 2002 . . First Restore your TCP/IP Settings You must change your IP back to one that your ISP will allow you to have online. Try uploading your original untampered config.It shows us your appreciation for all the hard work we have put into this project. If it will upload then you may be able to find faster files in your area.COM . Your Config file might Possibly be incorrect. some are.com . IRC Channel is #Surfboard on Efnet On a final note if your modem will not take the config file you are trying to send to it even after you use the md5 hack. For faster files use those included in the onestep program and visit fibercoax. One on One help can be available. Plug back in your modem. also Visit our IRC Chan. don't hesitate to Email me. If you found this Page useful or have ANY Questions. Email Address: [email protected] also offers a finder called dfile thief. you will need to Setup a TFTP Server to Resend the the edited config.com For msn im And Nickadavid on AIM ALSO DON’T FORGET TO VISIT THEORYSHARE. Also keep in mind that there is new firmware floating around that ISP's can use to re-cap you permanently. please donate 5$ through PayPal. Unplug your modem. If you want to help out.Most Cable modems are not capped on the downstream. Also. Speeds will vary from your location and quality of your cable. we have much to offer for capped or uncapped people alike. So don't forget to check out the Firmware section. Have a nice day… Monkeywrencher Nickadavid@msn. Turn off your TFTP server. If your Modem's Activity light is still on and you cannot seem to connect to the internet.net for a config finder. Also currently surfboardhack. every time your modems power is cycled.