important

[dragonlord003]

nozzer[/left];1084584]If anyone starts encouraging people to interfere with paying subscribed customers in this way then I'll make damned sure they are banned permanently !

This is not the kind of thing we are here for !

where precisely did I encourage anyone on the forum to do this?

No where that I can see. what I encourage my friends to do has nothing to do with the forum. I posted a personal view no thing else. since when has that been against the forum rules?

What one of the forum rules have I broke ?
none that I can see

so I respectful ask that you ref frame from treats of bans for nothing.

thank you.

 

[nozzer]

and​

how does

that breach​

the

forum​

rule.
be so kind as to point me to the forum rules about that

What you were proposing amounts to a form of blackmail. "Dont interfere with us or we'll start interfering with your paying customer". Just because the rules dont specifically mention something doesn't mean you wont be banned for it if you are deemed to of gone too far !

and no I did not say I was

encouraging​

any one on the forum to do it.

hmm !

AND IL BE ENCOREGING EVERY OTHER CLONE USER I KNOW TO DO THE SAME

To me, that seems like encouragement !

However, I chose the friendly warning this time.

so I would

respectfully​

ask you do not

threaten​

me with bans for some thing I have not done

Its one of my functions to moderate when things are going in an undesirable direction in order to both protect the forum and to try and avoid the use of a ban.

 

[Raven3k]

i just read on the ul forums that this only applies to ambits but will apply to motorolas later on.

 

[dragonlord003]

What you were proposing amounts to a form of blackmail. "Dont interfere with us or we'll start interfering with your paying customer". Just because the rules dont specifically mention something doesn't mean you wont be banned for it if you are deemed to of gone too far !



hmm !



To me, that seems like encouragement !

However, I chose the friendly warning this time.




Its one of my functions to moderate when things are going in an undesirable direction in order to both protect the forum and to try and avoid the use of a ban.

bloody hel that took some time to think up an type
I edited it at 00:44 so it took you some time to think that up.

power head gone too springs too mind.
subject/discussion closed.

 

[TheCheekyMonkey]

OK , relatively new to the modems, having managed to sort myself one out relatively recently, so please excuse a lack of indepth knowledge.

I dont fully understand the news that adam reports, but from what i gather VM are detecting that the modems are cloned, not by macs or serials, NICs ro anything but by querying the modems and detecting that they are clones by what is reported back by the hacked firmware (i.e. its not the same as an original firmware, and then limiting the modem to an unusable speed.

Now go easy, i have read a lot, but can we not quite literally clone the modem i.e. lift the chip , read it, edit it with a hex editor (or creat a program to edit the flash directly ; presuming that it isnt encrypted etc) , edit in the mac address and tftp IP etc etc, and then program this back onto a fresh chip for another modem. SOunds like a lot of work, but would this not give you a truly cloned modem then? with the new methods that VM implement you would only have the subscribers config , but this is better than nothing is it not, this also depends on macs working in different UBRs.


just a though.


Adam how is your new method shaping up so far with the new countermeasures?

 

[Raven3k]

OK , relatively new to the modems, having managed to sort myself one out relatively recently, so please excuse a lack of indepth knowledge.
I dont fully understand the news that adam reports, but from what i gather VM are detecting that the modems are cloned, not by macs or serials, NICs ro anything but by querying the modems and detecting that they are clones by what is reported back by the hacked firmware (i.e. its not the same as an original firmware, and then limiting the modem to an unusable speed.
Now go easy, i have read a lot, but can we not quite literally clone the modem i.e. lift the chip , read it, edit it with a hex editor (or creat a program to edit the flash directly ; presuming that it isnt encrypted etc) , edit in the mac address and tftp IP etc etc, and then program this back onto a fresh chip for another modem. SOunds like a lot of work, but would this not give you a truly cloned modem then? with the new methods that VM implement you would only have the subscribers config , but this is better than nothing is it not, this also depends on macs working in different UBRs.
just a though.
Adam how is your new method shaping up so far with the new countermeasures?

This does bring the following thought forward, i wonder if its possible for the modem to reply as the legit one but instead it requests for a new certificate? It surely cant work on first come first serve basis?

 

[nozzer]

bloody hel that took some time to think up an type
I edited it at 00:44 so it took you some time to think that up.

power head gone too springs too mind.
subject/discussion closed.

hmm, 24 hour ban. Looks like the power has gone to my head !

Now the subject is closed !

 

[No]

The post dosn't make much sense....

Dynamic configuration sends random file names per session. On each DHCP transaction, instead of a static name, a dynamic name is returned. It's nothing to do with encryption. The modem then simply downloads the filename as instructed in the DHCP request. As dodgy as it looks, it IS a valid config that is either generated in real-time or is loaded from some pre-set configuration data at the headend.

In dynamic configuration, there is NO certificates and NO "unencrypting" is done at the modem.

The usage of signed certificates is a completly differnet defence method and has nothing to do with dynamic configs. Whilst signed certificates in BPI+ would pose a thread to cloneing, it sounds dstream may have confused himself somewhere along the lines.

There is some other discrepancies too in dstreams post. Too tired to go through it right now!

Meantime, if anyone who is in a area which is using dynamic configurations - please drop me a PM.

 

[Quattro]

OK, heres a strange one, im havign this problem but only 50% of the time.

I got my macs using the ambit mac scanner built into hideki`s tool, worked vey well too, it found me lot sof macs of 250`s that I can use on my UBR withotu getting kicked off.

If i dont force a config on these macs i get a random string of characters as the config name, and they work ok, bu tthey are mostly slow connections.

When i force a 20mb config aroudn 50% of the tiem the modem doenst give me a valid IP, it stays with 192.168.100.10 and the modem status tells me "Refused by CMTS" , but rebooting it gives a roughly 50/50 chance of getting this message and getting the modem boot up on the 20mb config and work fine.

perhaps my area is only half upgraded to this new system ? onc ethis is fully rolled out, I guess the only way to ensure high speeds in the future is to try and obtain and use 20mb macs ?

 

[Temp]

we also need an irish volunteer

I'm in Ireland. What can I volunteer for?

 

[adam]

I'm in Ireland. What can I volunteer for?

if you have a 200 or 5100 you can put sigma 1.06 on it and download the config files from the server before they dissapear they may come in handy at a later date

 

[adam]

latest from dstream

Before they trash the clones its working like this.

release encrypted configs.

all modems during the cycle renew the ip lease with the dhcp server.
At this point they are reset for encrypted configs. In the system there are still modems that dont have this yet as in they havent renewed the lease or are a 4100 etc. So your config will work on a scanned non upgraded modem.

you can force that one even. So as it renews its lease and gets the new config system your kicked off. As you cannot request the config. The modem sits in a 1k up 1k down loop okay.

righto po with me so far. All scanned ones with encryption you have will not work on yer ubr and will simply drop. You havent got the key it uses to talk to the tftp server. It carnt request the packet, This stop you scanning for the mac addys.

Right they have a mamoth task ahead to do all areas so what they do is switch over to the new configs and allow the old style modems still to go through to allow them all to get out the system. So youve a 2 week grace period enjoy it while you can.

 

[No]

All scanned ones with encryption you have will not work on yer ubr and will simply drop. You havent got the key it uses to talk to the tftp server. It carnt request the packet, This stop you scanning for the mac addys.

I still question the validity of what dstream is suggesting.

Whilst he is right in saying dynamic configurations are currently being rolled out, this "encryption" he suggests, may of rather confused him by the obscured names generated by the CMTS.

The part where he referes to the fact that it plays a role in the de-provisioning of a clone, is something I would question even further. Dosn't make any sense. The area's which currently have mac banning enforced let the modem sucsesfully provision (with a dynamic config!) and allow it to go online for a certain period of time before it's booted and blacklisted.

Dstream suggests the modem cannot decypher the config in order to make a valid request - if this could not be completed, then the provisioning state would fail and the modem would not complete the initial boot sequence in the first place.

 

[solster]

the hashed looking config names are random substrings of a predefined string (they are not encrypted), someone spotted this a few weeks ago i think. not sure where the post is as search not working.

but whether or not he boot image itself is encrypted is another story...

 

[CoreTech]

Before they trash the clones its working like this.

release encrypted configs.

all modems during the cycle renew the ip lease with the dhcp server.
At this point they are reset for encrypted configs. In the system there are still modems that dont have this yet as in they havent renewed the lease or are a 4100 etc. So your config will work on a scanned non upgraded modem.

you can force that one even. So as it renews its lease and gets the new config system your kicked off. As you cannot request the config. The modem sits in a 1k up 1k down loop okay.

righto po with me so far. All scanned ones with encryption you have will not work on yer ubr and will simply drop. You havent got the key it uses to talk to the tftp server. It carnt request the packet, This stop you scanning for the mac addys.

Right they have a mamoth task ahead to do all areas so what they do is switch over to the new configs and allow the old style modems still to go through to allow them all to get out the system. So youve a 2 week grace period enjoy it while you can.

Yep i mentioned to you that FiOS in the US use the same encyption system (along with comcast using it on the higher speed packages)

The encryption key is random.

It's uncrackable, people have been trying since FiOS first started and have got nowhere.

 

[pburns]

An interesting read.

Found while surfing.

I know very well that HMAC-MD5 itself can't be "cracked" but the idea is, instead of attacking the strong point (encryption) why not attack the weak spot? It appears to me that the HMAC-MD5 solution was designed to stop uploading modified config files into the modem. But I doubt that the scope of this security measure predicted that someone, someday, would create a totally new firmware/OS to gain TOTAL control over the modem hardware.
I have limited knowledge in programming so I don't know if this approach is plausible, but even if it is, how difficult it can be.
The concept is simple: Just change the algorithm that handle the modem self-configuration. The self-configuration uses the config file that contains all the DOCSIS parameters.
IF the routine that reads the config file and apply the settings is contained in the firmware, than I don't see why this would't work.
So to bypass MD5, TFTP enforce, dynamic config, etc...... the conceptual solution would be something like this:
1) Store the custom's user config in the modem memory.
2) During the boot process the modem get the "official" config from the providers TFTP as usual.
3) Then the modem register on the network using the official config provided by the providers.
At this point all the verifications have been bypassed because until now it was an usual registration, using the right config file with the correct HMAC-MD5....
Then the modified algorithm makes a new call to the "config interpreter" routine, but this time reading the custom config file that's stored in the memory, resetting the modem paramaters at will without the provider get any notice (to the provider it'll apear that you are using the oficial configuration).
Like I said, IF the routine that interpretes the config file IS located in the firmware, than something like this should be possible.
Well, what do you think, it's possibile this kind of workaround, if not, why?

 

[K]

Last night i redid a modem... all worked fine for 20 minutes and went off... checked 192.. and it displayed hdhsdk294hfksioehfks it seems when this is loaded onto the modem its knocked off.. i know the above has been covered before etc..

It seems over in the states they have a work around.. i did a search on a few forums.. some use BPI and BPI+.. but i found one particular thread which one member hosted a config file and users downloaded the config via the terminal.. and got online..

Not sure how this would benifit us... because we dont know how often vm check the certificates

 

[ckirkby3]

Last night i redid a modem... all worked fine for 20 minutes and went off... checked 192.. and it displayed hdhsdk294hfksioehfks it seems when this is loaded onto the modem its knocked off.. i know the above has been covered before etc..
It seems over in the states they have a work around.. i did a search on a few forums.. some use BPI and BPI+.. but i found one particular thread which one member hosted a config file and users downloaded the config via the terminal.. and got online..
Not sure how this would benifit us... because we dont know how often vm check the certificates

bit of a random reply/post/hijack

 

[solster]

ok i got a question.... say all this happens...

im guessing for it to work VM would have to upgrade the software on the modems yeh?

if u get a 20mb mac and write it to the modem, cant u just let the VM software crack on with its job?

as it is all based on the mac anyway?

 

[simonkirk]

oh dear we do seem to have got ourselves into a twist - md5, encryption/decryption keys,bpi lol. well if that where the case how could they send random data as a config and have it deciphered? dynamic configs arent really dynamic at all and are just a smoke screen! maybe sometimes its to easy to look deeper than what is actually happening

SK