Luigi Auriemma

This is a discussion continued from another thread. But we were starting to hijack the thread and go off-topic, so I figured I would start a new one with all the information I discovered about how docsis cable modems work. I hope you enjoy... and if I made a mistake anywhere let me know!

After doing further research into the topic, it appears that this is how the all cablelabs docsis approved modems work:

1) Cable modem is powered on. It sends out a BOOTP request. The CMTS on the cable provider's side will send a BOOTP reply that contains various information such as a config file name, tftp server, time server, syslog server, etc.
2) The cable modem looks at the BOOTP reply with all that nice information, and uses it in the following way:

- It connects to the TFTP server, and downloads the config file mentioned.
- It uses the time server to update it's clock (considering that it doesn't know the correct time when it boots up). This allows for accurate logs that can be sent to the syslog server.

3) The config file is a binary file that is written specifically for DOCSIS modems. I can give you samples of one, but there are plenty online. There is also a free tool on sourceforge that allows encoding/decoding of config files (http://docsis.sourceforge.net). The config file must be binary so that the cable modem can read it, so in order to edit an existing config file you might use that tool to decode it first. The config file contains information such as:

- NetworkAccess: this is a value set to 0 or 1 which defines if the modem can access the ISPs network and pass on DHCP requests and what not.
- MaxCPE: this defines how many CPE devices that can exist on the customer's side. In many cases, it's only 1 (so you can't get more than 1 public IP!)... but often times cable ISPs allow more than 1 just to alleviate the complaining customers who can't get an IP because they switched computers (new NIC) or something similar... and never restarted the modem to clear the cpe mac address ties. Lucky for me, my ISP allows for around 7-10 CPE devices. So yes, I can get that many public IPs. This is most likely a problem on their end considering I am a residential customer, but I am not going to say anything :). Plus, they know exactly how many CPE devices you are currently using, and I can assure you that logs are kept. So don't do anything that is going to get your internet shut off.
- Speeds: This isn't an exact variable, but in general, the config file also specifies what speeds (upload, download) your modem can have. This is where we get into spoofing the TFTP server so you can generate a custom config file, and uncap your speeds! Yes, it is possible to use your own config file, but it is very hard nowadays. Cable modem "speed uncapping" was a popular concept back in the day with particular modems, so if you wan't to know more about it and how it's done, do a Google search. But as of today, it's pretty tough to do (although it's still possible). It basically involves spoofing the tftp server so that your modem downloads a config file from you, rather than from the ISP. Be warned, this is another thing that will probably get your service terminated if you do it. They know how much bandwidth you're using, they aren't stupid! If you're using 10MBps when your account is only specified for 2MBps, you're going to get in trouble.
- The config file contains a lot of other cool information, but doing some Google searches can tell you more about what it contains.

4) So now you're modem is powered on and it has a config file! If NetworkAccess is set to 1 in the config file, your modem is authorized to talk on the ISP's cable modem network, and can relay DHCP requests from any client devices connected to the modem. You can get as many DHCP leases for your client devices up to whatever MaxCPE was set to. Once a CPE device has a public IP, you are officially online. Congratulations.


Other useful information/clarifications:
- The config file that you download is determined by your HFC MAC address. So when your modem sends that BOOTP request, the CMTS looks at the HFC MAC address and says: "oh, that's a residential customer. he gets the config file residential.bin which allows for 3MBps/256Kbps, with a maximum of 2 CPE devices!". The CMTS may also say "I don't recognize this MAC as a customer!... he get's disabled.bin which gives him no network access and 0 MaxCPE devices!"

- Docsis modems are required to make use of snmp. This can allow the customer to see useful information such as the tftp server's IP address, config file name, etc. that is normally not visible on the ethernet side of the modem. Docsdiag is a good/free tool for querying such information from the modem. However, the docsis config file can specify that only certain IP ranges can request to see the snmp info, thus blocking out customers from getting the data. My ISP does this; however, they didn't a while ago when docsdiag worked perfectly :P. I guess they are learning how to better secure themselves.

- Docsis has many versions: 1.x, 2.0, 3.0... and all may have slightly different ways of operating. 3.0 is fairly new and isn't much deployed yet. 2.0 seems to be the most common right now, while 1.x versions are fading out of networks.


Hope some of this was useful or interesting to someone. If I made a mistake, or was confusing anywhere, let me know and I will fix it. A lot of research came from Google searches, considering that some DOCSIS specs are actually kept undisclosed to the public, and are protected under a vendor NDA. However, you can download PDFs of some docsis specs from cablelabs's website (http://www.cablelabs.com/).

I would ask them "Why can't I use my own? What does your modem do that mine can't? As your customer, I should have the right to know that.".

Some aDSL providers may have modems that have features made proprietary to their system. I am not exactly sure what features that might be, but I would definitely ask them if this is the case. If they can't tell you why only their modem will work, then they are just stupid.

As for uncapping cable modems... it was easy back in the day when modems were designed a certain way. Here is how it was typically done:

1) Connect to the modem as normal from PC -- Modem -- Wire so that you have an active internet connection. Don't use a router or anything else in the middle that might not allow you to see broadcast traffic. Use a packet sniffer to look for BOOTP requests coming from other modems that just powered on (remember, they are broadcast packets so you can see them too).
2) In the BOOTP reply from the CMTS, you can see the TFTP server and modem config file. This is all you typically need.
3) Using command prompt, download the config file from the tftp server:
tftp -i 10.20.30.40 GET residentialcustomer.bin
4) Decode the config file with the docsis program mentioned in my previous post, edit the speeds to your liking, and encode it again.
5) Set up a TFTP server on your own computer, and change your IP address on your network card to that of your ISP's tftp server. Host the config file on the tftp server so that everything can access it.
6) Boot up the modem, but do not plug in the coaxial cable! This is where the fault modem design comes in. Many modems would broadcast their BOOTP request to the ethernet interface as well as the RF interface. This allowed for a spoofed tftp server, the one on your computer, to reply to the modem with the altered modem config. After the config was downloaded with the modem (you can see the status on your tftp server's log), plug the coaxial cable back into the modem and hopefully enjoy your new speeds.

A note in step 2: there is a program called CoaxThief (available at http://www.tcniso.net/Nav/Software/) that automatically captures the broadcast packets and displays the tftp server, config file, etc in a nice readable format. However, a typical packet scanner can do just this, but might require filtering to see the data you want.

However, most modems nowadays don't broadcast on other interfaces (only on the RF interface)... so spoofing the tftp server won't work at all. This is why it was a faulty modem design back in the day. But there is a website out there that goes more in-depth called http://www.tcniso.net/. They go into showing you how to physically alter the modem so that you can change things such as the firmware, mac address, etc.

no they not stupid, they retarded ! i did ask, and no reply ofc..how predictable. and its a router. speedtouch 780 (one they offer) and speedtouch 780WL (wht i have). whtever it is...i can CHANGE my router's firmware too. like download it into pc, change and update it with custom firmware.

ok about this site you suggested, havent checked it yet, but do you know how i can change my router's mac ? i know that some routers have such option, but mine doesnt.

They may not have the feature available on that router. Typically it is called something like "clone" mac address. But chances are if you can't find anything related to changing it, it may not exist with that firmware.

If you have an extra computer around the house with a few network cards, you can try something such as pfSense. It's VERY similar to m0n0wall (developed by one of the guys who worked on m0n0wall), but it's designed to be used as a "full pc installation" rather than installed on a compact flash card, or something similar like m0n0wall. But don't get me wrong, m0n0wall can still be installed on a hard drive with a little extra work, but it's more common to be booted from CD or compact flash. pfSense takes the hard drive approach, and they claim it allows for more features that m0n0wall was lacking in.

Anyways, with a pfSense approach, you are using a secure open-source router/firewall, and are able to change your MAC address for each interface on the fly. But considering that your speedtouch is a modem/router built in one, this may not be what you are looking for.

That computer can definitely run pfSense. pfSense and m0n0wall are not demanding at all, and barely use any system resources. 2 network cards is all you need: 1 for the WAN to connect to your modem, and 1 for your LAN. For the LAN, you will need a switch or hub connected to that port so that multiple computers can have access. Otherwise, you are only plugging in 1 computer to the pfSense box.

To change my MAC, I have it set up with a m0n0wall box (though pfSense is almost identical, if not better). When I want to change the MAC, I just login to the m0n0wall box via the built in http manager and goto the interface I wish to change the MAC of. Here is a screenshot of me changing the WAN interface, which allows me to obtain a new IP: http://img58.imageshack.us/img58/8239/m0n0walllr1.jpg

My network is set up like so:

Internet --- cable modem --- m0n0wall --- switch --- computers

All computers request DHCP ip addresses from the m0n0wall box. I have it set up in m0n0wall so that only computers I have allowed can obtain IP addresses via DHCP (it filters by the mac address of the machine). This is not really necessary though considering it's just a home network, but it can be a very useful feature to eliminate rogue computers and devices in the corporate environment.

But as for your setup, pfSense might not be the solution you're looking for since your modem is not just a modem... it's a router/modem built in one. So in reality, you probably want to change the mac address of the last router in the chain... and that is the router built into your modem. To do that, you're going to need to get firmware that allows it, or you will have to use a modem that is JUST a modem.

Any reason you're wanting to change the MAC address on your router though? It isn't really a useful feature for aDSL connections, only for cable connections. If you were planning on switching to cable, they would most likely give you a new modem anyway.

m0n0wall/pfSense are basically FreeBSD distributions that serve as a lot of tools for your network (firewall, router, nat, etc.). As for installation, there are a number of ways to go about doing it. There is a lot of documentation for both applications on their websites that go into detail about installing each.

For pfSense, you will wan't to get the LiveCD iso version and burn it to a cd. Boot from the livecd and choose the option to install it to an existing hard drive once it's done loading.

For m0n0wall, it's a little more complicated. The only way to install it to the hard drive is to use physdiskwrite (http://m0n0.ch/wall/physdiskwrite.php). The livecd option for m0n0wall doesn't have the feature to install it directly to the hard drive. To use just the livecd, you must save the settings to a floppy. Both websites go into great detail about how it can all be done.

As for the mac address stuff: on cable connections, your ISP only sees the MAC address of the interface that connects to the cable modem. That is how DHCP works. If the ISP couldn't see your MAC address, how would they know which device is getting the IP address during the DHCP process? They have to know in order for it to work properly. I don't know in detail how aDSL works, but I'm assuming it probably looks at it too. But if you're worried about them seeing clients behind your network: no, they can't see them if they are behind private NAT addresses.

So if you have your computers connected to your speedstream router, the isp can't see any of those computers. They can only see the MAC address of the WAN interface on the router.

this is wht i meant. that they see my speedtouch router's mac.
for example if ill enable the wireless feature on router, then anybody who uses wireless and connects to my router can also see MAC of my router.

also one good thing when i change mac. my connection is only username:password based. so if ''something'' happens i can always say that somebody stole/crack my user:pass :) then they check MAC that was used to connect with my user:pass and they will see it was some unknown mac. so its beliavable. ..just an example what use u can have of it.

The only thing you can do to change the mac in your case is to use firmware that supports it (if it even exists). The reason is because your modem also serves as a router.. so the ISP see's the mac address of the router interface built into the modem. So if you used m0n0wall, it would have to go like this:

telephone line --- speedtouch modem/router --- m0n0wall --- computers


So in that case, m0n0wall isn't getting the public IP, it's just getting a local IP from your speedtouch box. Therefore, changing the MAC in m0n0wall will not solve your problem, because the isp doesn't see m0n0wall's MAC addresses, they see the MAC on your speedtouch router.

What you could do is start using a pure ADSL modem (if it would even work with your ISP). This would allow you to go like so:

telephone line --- pure ADSL modem --- m0n0wall --- computers

This way, when you change the MAC address on m0n0wall, you are accomplishing the goal of hiding your real MAC from the ISP. But beware of some adsl modems out there: many of them like to have built in routers with NAT so that it's pretty much the same situation you have now. Also, you would want to make sure it works with your ISP. DOCSIS is a widely accepted standard for cable modems, so buying a docsis certified modem is pretty much a guarantee to work with the isp as long as the HFC mac is registered in their system. I am not sure of what standards are used in adsl, which is why I need to research it more :P. Hope that helps.