Stealth..............

[River-Rat]

Quote:

Originally Posted by funkyfones

hang on I'l copy paste the contents of the cfg file, maybe that'l help..



[WebGUI]
Authentication = 'false'
Username = 'admin'
Password = 'admin'
[Telnet]
Enable = 'true'
Username = 'admin'
Password = 'admin'
[Settings]
CertType = '0'
DisableSwDload = 'true'
ForceNetAccess = 'false'
TftpEnforceBypass = 'false'
IgnoreMgmntMsgs = 'true'
DisableIPFilters = 'false'
BpiPlusBypass = 'false'
[Spoof]
OverrideHardwareRev = 'false'
HardwareRev = '119'
OverrideBootRev = 'true'
BootRev = '3.1.6d'
Model = 'E08C007'
Vendor = 'AMBIT'
Version = '2.94.1015'
[SNMP]
Port = '161'
SuspendAfterReg = 'true'
RedirectTraps = 'true'
TrapIP = '127.0.0.1'
TrapPort = '162'


basically it puts all those settings in automatically.

it unticks 2 parts in settings u would normally use? as well as the 4 error boxes?

[lee-ds]

If you stick an up to date 2MB dump on it, then just change the mac, should do the trick. (for your area, may need a couple of other adjustments).

[funkyfones]

I modified mine an got it working, this config as it is worked once but not again, might be down to certain macs needing the settings a certain way, anyway give it a shot, thats if your not getting any luck with another method, play with it.

[River-Rat]

Quote:

Originally Posted by lee-ds

If you stick an up to date 2MB dump on it, then just change the mac, should do the trick. (for your area, may need a couple of other adjustments).

ho would i do that? i did what was said with the settings and still nothing dude on now my ambit 250 and motor 5100 still getting 0.24 mb and kicked after 10 mins even modem lights are on

[lee-ds]

Quote:

Originally Posted by seamouse

ho would i do that? i did what was said with the settings and still nothing dude on now my ambit 250 and motor 5100 still getting 0.24 mb and kicked after 10 mins even modem lights are on

Not looked right in to it, as I've not had a prob for more than 10 mins. (sorry)

TwoBeerCans, posted on another forum (WM's), his theory: (Credit goes to him, for this post)

My Notes;

dedicated to Mr R Branson Esq, all names and events portrayed herein are fictitious and although may bare some resemblance to real events or conditions. The relationship is purely coincidental.


firstly lets talk about modems that get stuck on ranging and go on from there;

ok so you set your default freq, you know it is correct yet the modem is stuck on ranging. This is happening because the mac is invalid or the identity spoof is invalid. When the CM (cable modem) does its initial sniff of the prefferred DS frequency it gets a lock, at which point the modems identity seems to be checked. If it gains enough points it will be sent a directive to alter the primary DS frequency to another not in all cases, but the criteria for response seems to be the same. i.e don't know what your are! not responding. It then goes on to establish ranging and receive ranging data from the CMTS. move on ( do not confuse the model of your modem with its identity, its identity is what the firmware says it is not what the model no. on the underside of the modem your using says it is.)


So we got to the point where we were able to be recognised and enough points to have a word with the dchp server to get some connectivity hopefully. Now we get into Mac validity, ok we are not valid we get told to fook off. or we are using a valid mac and we get told we need to get the configuration file from the tftp server. move on


ok here is some nifty stuff, the CMTS becomes our tftp server! and CMTS requests our config file from the tftp server, upon receipt it checks the config file using the network shared secret and an MD5 hash. It does this to make sure we didn't spoof the tftp server or upload our own config to the providers tftp lol.
(we can't because we don't have the network shared secret)
Now the CMTS recomputes the MD5 adding a dynamic shared secret which only it knows and is chosen at random on each event. in this way it can make sure of 2 points, 1) we did actually initiate a transfer of the file and 2) more importantly, when we send back our configuration it can make sure that it matches the one sent by performing a MIC (Message Integrity Check) by adding the dynamic shared secret to the data received and recomputing the MD5 hash. This makes forcing a config impossible for obvious reasons. The old flaw of modifying the config file by removing bytes preceeding the MD5 hash has been defeated by using the dynamic shared secret. VM also opted to enforce random config filenames, this was clearly done in order to inhibit sniffing and knowing the tier of the mac without trying it (buggers lol).
If your CM is forcing the config it will result in it being bounced out of the CMTS registration so basically just
keeps rebooting.

DO NOT ATTEMPT ANY KIND OF WEB GUI FIRMWARE UPDATE WHEN YOUR MODEM IS IN THIS SORT OF CYCLE!!!OR WHEN IT IS CONNECTED TO A CABLE FEED

If you must update then remove the cable feed, it is ok while it is scanning to change your firmware using the gui.

Many area's seem to be enabling bpi 1.0 and they have set there punishment regime in a few different ways, I am not clear yet why tbh. In some area's people will be assigned a ludicrously low QoS (Qaulity of service). meaning low bandwidth. This is becuase your clone has been logged as a naughty boy because it has failed a test during registration!
But was still allowed network access, in some area's there is a straight refusal to provide service (reject).< my area lol
If you receive the low QoS response then don't bother trying to change settings ect beacuse the low QoS config will continue to be served to the modem even if it reregisters using the correct settings! this usually is the case for 24hrs from the point of the initial detection( the modem mac must be offline for a full 24hrs before the restriction is lifted). It has assumed a theft of service and that is the punishment. (remember, it is the CMTS that is doing this not the tftp server, you never actually conect with that) This mechanism deters hackers and has absolutely no effect on the owner of the legit mac on another CMTS (uBR).


At the moment it is my analysis that Doc 1.1 is not currently in use for all pre ambit 250 modems, the use of this in provisioning will mean that the second level of hardware security is activated. rather than just accepting the spoofed modem description from the stealth page, the modem will be asked to provide manufacturer certs contained within the firmware. These should also tally with the mac address. A problem here for the cable provider we are using is, they have got 1000's of old modems out there the certs in these modems may very well be close to expiry if not expired and require updates. Hopefully VM do not possess the ability to get these updated. If thats the case they will be stuck using DOC 1.0 for all older modem types pre 250 ambits .

Some tips and tricks to bare in mind,

1) Spoof you modem correctly that is what the stealth page is for in haxorware!!

2) When you use your mac - use the fookin MAC Calculator by ImH to set your serial/usb mac/ethernet mac as well as your

HFCmac

3) If you receive a negative registration response, change your bpi settings (also change your mac for a fresh one)

4) If you change any of the parameters of the above then rotate your nic mac using your prefferred mac changer.

5) do not attempt to autoserve any config unless (the config file you receive is always ending ".cm")
This indicates that the mac belongs to a modem that is legit BUT it is very old and does not support dynamic shared secret

6) fook me i guess we all know what the registration page is all about so we will skip that lol

In conclusion;

When asking why ones modem does not get online or just keeps rebooting, it seems reasonable that you should inspect your own telnet log, plug in your max232 open a telnet window and save a copy of what happens. I wouldn't go posting all
your logs on the forum becuase they do have data specific to your modem and it is likely some will fail to edit that data.
But using what i have said above you should be able to reach some conclusions of your own about why your attempts are failing.

If for instance you can't get an upstream lock then the CMTS doesn't want to talk to your CM probably because your hardware/firmware spoof is not a recognised one on your CMTS. Or you were dump enough to use a mac that is already online on that CMTS lmao


These are just a few thoughts on this subject, tbh i have never really been into modems but they are handy for staying semi-anonymous online and torrents ect. It really got on my tits when my 3year old 20MB Infinity went tits up having been banned by the CMTS the other night. It was a right stinker digging that fooker out from behind the pc that aint moved for 2 years lol. Needless to say i fooked up the flash to haxorware from infinity using ethernet only (long story), but i changed it out for a haxorware 11 rev 39 rejigged it and was back online with a fresh mac in 15 minutes with 20MB .
Thanx for the heads up Cisco - reading your security bulletins and a few other places was very interesting.

Now then where was i, oh yeah was just gonna rape the VM news server for 24 episode5


PS a useful command : /non-vol/snmp_cm/sysDescr

shows us the stealth spoof that is returned..

TBC

[BigJ1]

I read somewhere that in the USA they check for Firmware version model etc against mac as a check could this happen here also ?