important

[adam]

by dstream on ul

Virgins attack cloners head on. New modem countermeasure the encypted configs
Across the country slowly area by area is the all new encrypted config data.

this started with a small certificate update in the modem ready for this. Not only that the mac broadcast on the older modem is affected. Older 200 down to 4100 are affected.

250 and 255 as you are aware do not broadcast themselves onto the network hence the lack of them in dhcp sniff etc. So virgin have decided to attack the cloners head on and use encrypted config data.

Simply put the config is sent to the modem in an encrypted packet and the modem unencrypts it and stores its information. Currently your forcing the modem up to 20 meg or similar by requesting that packet for your modem to be sent to you.

Well the server now sez sorry p off dont recognise that packet dont have that stored to me.

for instance you send in plain english.

250 cfg high please.

it expects the packet sent to be encrpted so it aplies its algo and codes the packet to this

zxexcreddfdjhwedfdfd

goes hmm dont have that erm bye logs modem off network 1k up 1k down. Its initial setup config.

but what you should of sent is i want dshgdsjfsjg9oruo config send it.

it decrypts packet ahh you want 120 mid config. and sends it back.

now heres where the fun is the data is encrypted on a modem by modem basis no 1 modem or 1 modem ack packet is ever the same. I.E. THEY aint scannable. A cloned modem dont work as it carnt force a config.

Some people say erm well piece of p atm dead easy let the modem accept the normal config dont force one. Okay lets look at this for a mo.

120 gimme a config. okay vm check do you have new certificate installed no okay ill let you have it this time.

120 gimme a config. hmm still no certif update k this time.

120 gimme config look you should of taken an update now ur a clone
1k up 1k down. Modem banned of network.

Think this wont happen, ladies and gentlemen its happing right now ntl areas are updating as we speak. Happened in my area last week and modem banning is there now.

enjoy the time you have until uk full rollout.






** not sure if we can get round this using self certs or by accepting the download. adam **

 

[lord-icon]

Good post adam !!!

Ok so we got the heads up .


Now its time to get our heads down and get cracking with a hack !!!


Cheers

Icon

 

[ckirkby3]

Adam i can't agree with that lol, i think thats all just in theory. I mean... in my area itself infinite based modems would stop working for me after say 5-10mins of downloading, i assume 1kb up/down.

So is suffering the wrath of what you are describing, but i got your firmware, slapped it on with a mac, forced 20mb, and hey presto. Surely i would be affected would i not?

 

[dragonlord003]

Good post adam !!!

Ok so we got the heads up .


Now its time to get our heads down and get cracking with a hack !!!


Cheers

Icon

we could always fight back. It will be interesting to see what vm do if every cloner sets there mac to one of the same/there own ubr

after they roll this out
the amout of clones there are it would cost vm dear and they man change there mind fast


ps FOR ANY VM STAFF READING TRY IT
AND i GOt 20 MODEMS HERE AND YOUR GETTING 20 CUSTERMERS MODEMS GOING OFF LINE A DAY AND IL BE ENCOREGING EVERY OTHER CLONE USER I KNOW TO DO THE SAME HAVE FUN AT VM GUYS

THATS GOING TO COST YOU IN NEW MODEMS AND LOSE OF CUSTOMERS

 

[solster]

hopefully it will be like the nagra system lol

BUT i think they are lying about the encrpyted configs, they would have to replace all subbed modems for it, i dont think they can send new flash/software updates to the modems can they?

so far from what we have seen is random config names (not hashed names).

in case you havent noticed.... im trying to stay positive LOL

 

[lord-icon]

we could always fight back. It be intresting to see what vm do if every cloner sets there mac to one of the same/there own ubr

after they roll this out
the amout of clones there are it would cost vm dear and they man change there mind fast

Ahhhh very good point !!!

nice one man



Icon

 

[Magnu420]

that sounds like what i got the other day a weird config 'ncxv9873254k-fg87dsfd' and only gettin 1kb upload/download speed and pages takin ages to load up ahhh well it was fun till it lasted i might aswell use the modems for a doorstop lol

 

[Raven3k]

instead of downloading from their own tftp isnt it possible to create your own config and upload to your tftp and set the speeds as 20mb?

 

[solster]

instead of downloading from their own tftp isnt it possible to create your own config and upload to your tftp and set the speeds as 20mb?

that is what was done before mate and they stopped it somehow, i dont know much about it.
the config is an image file so it wouldnt be hard to make your own, its just what does the image need to be?

it would be easier just to crack the system or wingate 4 modems LOL

 

[Raven3k]

sorry what i meant was uploading into your personal tftp not vm. I believe the comcast users in the us are also facing the same sort of problems as us. But apparantely the new dream OS by tcniso is meant to solve all this including certificate generation.

 

[solster]

apparantely the new dream OS by tcniso is meant to solve all this including certificate generation.

fingers crossed for this then.

i suppose mate u could always try heh. get a copy of the 20mb config, chuck it on ya pc and use tftp32.exe

 

[dragonlord003]

hopefully it will be like the nagra system lol

BUT i think they are lying about the encrpyted configs, they would have to replace all subbed modems for it, i dont think they can send new flash/software updates to the modems can they?

so far from what we have seen is random config names (not hashed names).

in case you havent noticed.... im trying to stay positive LOL

Yes they can send flash updates to the modems
they did it before with the older ambits with some of the earlyer hacks

 

[DW190]

Not to clued up on this but I got a 4200e up and running with the speed meter going off the clock recording 19800 dl and 1500 ul. This lasted for two days then dropped to 1500 and 160.
After another day the connection started to drop all together and I could not telnet the modem when connected to the cable feed, just showed a the black screen with one arrow pointing from the top left hand corner. (not responding to anything)

Back to the slow (4mb max) but reliable tiscali for the time being.

 

[dragonlord003]

adam I sent you a pm m8

had an idear not shaw if it will work but dont want to stick it in public for vm to read.

 

[nozzer]

ps FOR ANY VM STAFF READING TRY IT
AND i GOt 20 MODEMS HERE AND YOUR GETTING 20 CUSTERMERS MODEMS GOING OFF LINE A DAY AND IL BE ENCOREGING EVERY OTHER CLONE USER I KNOW TO DO THE SAME HAVE FUN AT VM GUYS

THATS GOING TO COST YOU IN NEW MODEMS AND LOSE OF CUSTOMERS

If anyone starts encouraging people to interfere with paying subscribed customers in this way then I'll make damned sure they are banned permanently !

This is not the kind of thing we are here for !

 

[adam]

fortunately it not in my area yet so i have time to work on it

heres more from dstream:


'no your mising the point you carnt take the update.

only the modem on the original firmware can.

You can use your own modem on your own ubr and thats it. You can clone it for now but soon as the new ubr software hits your area, Bye bye.

asta la vista connection. It cannot ask for the correct config so loses connection.'
& some more:

'its NOT A FTP SERVER.

it sends data to you no you to it.

look its like a pc. stored on yer hd behind a firewall is your pc. The firewall encrypts and decrypts all data sent to it.

loaded onto your hd is 30 configs the database.

20meg down.80k up etc

you send a request for that file. it sez ok modem here is your config speed. its done at head end there is nothing you can send its not a receiving ftp server dont get them confused together.

heres a log on sequence.

made up mac transmitited 00 11 22 33 44 55

ahh your in ubr area 2

okay ack knowledge.

modem please send me config data.

certainly ack response please

im an ambit 200

server responds checking account okay your paying for 20 meg encypts data from this sessions key valid this one time only.

dfsdjhfsgjh3weriweurw

modem decypts packet ah you sent 20meg config stores it. boots modem to 20 meg.

clone modem.

ack me. im 11 22 33 44 55

checks data your a 20meg

sends key crypted modem goes wtf do i do with that then.

ignores

sends ack me im 11 22 33 44 55

your a clone aint you

booted!!'



** well i use orig firmware so if thats what he meant i should be okay but i have just searched there servers and i cant find the update for the 250 - it certainly isnt the upgrade named in the config 'ntlhm250_ntl0001.cpr' however the upgrade for the 200 is still there. if theyve changed the filename or server they arent telling the modems about in my area

interesting

ps i downloaded all of their configs before they start to encrypt them - just in case they come in handy


@Raven3k, they stopped that using the md5 hash mate, also the dream OS sounds interesting but the surfboards can already self certificate - gonna have to dig around some old posts

 

[solster]

cant u jus keep the config permantely in memory? and then all u would need is a lease?

 

[adam]

hoping so solster mate, but you will still have to register the modem first - i'm working hard
ask your telewest buddies if they have a 200 to put sigma x on so they can get theyre configs aswell, we also need an irish volunteer
pm coming your way mate

dragonlord003, cheers mate

 

[solster]

hoping so solster mate, but you will still have to register the modem first - i'm working hard
ask your telewest buddies if they have a 200 to put sigma x on so they can get theyre configs aswell, we also need an irish volunteer
pm coming your way mate
dragonlord003, cheers mate

will do mate

fook just when i thought i had a few days to kick back lol

 

[dragonlord003]

I come up with the same board idea but wasnt going to post for vm to see
so pm`ed Adam with it, as he probably better able to fig er it out pull it off rather than me.

That say he had had same idea. but a least now we have a possible solution all be it only a possibility at the moment.