[DOWNLOAD] GUIDE Downgrading Superhub and Mac Sniffing

This is frying my head lol. I've got the MAC and seriel on with no problem, it's the Certifficates.

I've read the Public Key/ Private Key/ Root Key/ CM Cert and CA Cert from my subbed, using the HubTool, with no trouble. I then enter them all into the BPI Bin Converter and it creates a bpi.bin file. Now i try to telnet the file to the clone but i get the above error message. Now a very helpful chap on Cablewizardz tells me that he had the error but it still works if you write it anyway. Not for me though. lol

These are the commands i try:

cd non-vol

cd bpi

tftp_read perm 192.168.100.10 bpi.bin

tftp_write perm 192.168.100.10 bpi.bin

/non-vol/bpi/write

/non-vol/write

It goes through the motions (i don't understand the double jargon that comes up in the window lol) It says successfully written, but no internet.

Surely it must have something to do with this error, after the tftp_read perm 192.168.100.10 bpi.bin (command)
ERROR - The setting were not valid. Restoring previous values.
Chescksum for permanent settings: 0xb7e3f5ba

Hmmmm? where am i going wrong? lol

we have faith in you :thumbsup:

idrob said:

we have faith in you :thumbsup:

Click to expand...

Lol Ye hath too much faith. lol

I'm just a tute lad. I haven't a clue what most of it means. I think cd is (change directory) but -non vol (??????) lol

cd does indeed = change directory
Non-vol = non volatile memory location - in this case mounted as a folder called 'non-vol' this hold the tools to write to your BPI (Baseline Privacy Interface)

Inbox me if you're on Skype and I'll try and give you a hand mate.

monkeyMan3 said:

cd does indeed = change directory
Non-vol = non volatile memory location - in this case mounted as a folder called 'non-vol' this hold the tools to write to your BPI (Baseline Privacy Interface)

Inbox me if you're on Skype and I'll try and give you a hand mate.

Click to expand...

You sound like just the chap i'm looking for.

I'm not on Skype (i'll have to join up) i'm off out soon and will probably be in no fit state tomorrow lol
Thank again for the offer. I'll post back when my head is functioning properly.

I've redowngraded my subbed, to get the Certs and Keys (just in case something went wrong the first time?) Go them ok, used the converter to create the bpi.bin.
Now i've used the converter a few times. Some times i end up witha 5k file, and other i end up with a 14k file?? Either way, when i get to Telneting it accross, i end up with a checksum error?
This is the latest attempt plus TFTP log:

TELNET
Opening file 'bpi.bin' on 192.168.100.10 for reading...
Tftp read < 512 bytes, we have reached the end of file.
Tftp transfer complete!
TFTP settings:
stack interface = 0
server ip address = 192.168.100.10
server port number = 55041
total blocks read = 10
total bytes read =5111

checksum for permanent settings: 0x69299991

ERROR - The setting were not valid. Restoring previous values.
Chescksum for permanent settings: 0xb7e3f5ba
The settings were successfully read from the device.

TFTP Log:
Connection received from 192.168.100.1 on port 1032 [25/12 15:38:56.484]
Read request for file <bpi.bin>. Mode octet [25/12 15:38:56.488]
Using local port 55041 [25/12 15:38:56.488]
<bpi.bin>: sent 10 blks, 5111 bytes in 0 s. 0 blk resent [25/12 15:38:56.585]


TELNET
tftp_write perm 192.168.100.10 bpi.bin (below the read line)

Opening file 'bpi.bin' on 192.168.100.10 for writing...

(it sent and received a load of block numbers 0-28)

The settings were successfully written to the TFTP server.

(i typed) /non-vol/bpi/write

/non-vol/write

Permanent Non-Vol Settings successfully written to the device (after both)

TFTP Log
Connection received from 192.168.100.1 on port 1032 [25/12 15:38:56.484]
Read request for file <bpi.bin>. Mode octet [25/12 15:38:56.488]
Using local port 55041 [25/12 15:38:56.488]
<bpi.bin>: sent 10 blks, 5111 bytes in 0 s. 0 blk resent [25/12 15:38:56.585]
Connection received from 192.168.100.1 on port 1033 [25/12 15:44:40.059]
Write request for file <bpi.bin>. Mode octet [25/12 15:44:40.061]
Using local port 51775 [25/12 15:44:40.063]
<bpi.bin>: rcvd 28 blks, 14317 bytes in 0 s. 0 blk resent [25/12 15:44:40.788]


Still no internet access. (i haven't a clue what all the above means lol, whether it's right or wrong?) Surely that checksum ERROR is part of the problem?
Could it be the TFTP settings are incorrect? Or is there something terribly wrong with my bpi.bin?

Thanks for looking, any help would be most welcome.

I've just discovered that the 5k bpi file turns into 14k after i've gone throught the TFTP/ Telnet motions?

Anyway, (i'm sure i tried it before but thought i'd go again) i decided to retry with the new 14k bpi, and lo and behold, no checksum ERROR and it Telnets over correctly. Even so, my hopes were soon dashed when i connected up the coax and rebooted. Same blue data light on solid and a rapid flashing green tick

lol

So near yet so far away. What happened to that kind and nice monkeyMan3 that was going to help?

idrob said:

So near yet so far away. What happened to that kind and nice monkeyMan3 that was going to help?

Click to expand...

I'm going to have to get on Skype first. Trouble is, i've only got 1 pc to hand and i'm going to have to disconnect it from the net to be able to hook up the other Hub for telnetting etc, so i will lose the connection, along with Monkeymans help.

I'll have to get hold of a tablet or something.

It is annoying. I've followed the tutorials correctly, but still no joy. I wonder if Virjin have implemented some other security measure since the tutes??

For skype I use an old mobile with a three network sim card with no credit, if that helps.

This it the info from the clone:

Information
Standard Specification Compliant EU DOCSIS 3.0
Hardware Version 2.00
Software Version V5.5.2R19
MAC Address 9c:d3:6d:xxxxxx
Serial Number 2ha535xxxxxxx
CM Certificate Installed
Status
System Up Time 0 days 00h:05m:23s
Network Access Denied
Device IP Address ---.---.---.---


-------------------------------------------------------
(Log)
Sun Dec 28 10:49:03 2014 Error (4)
Auth Reject - Permanent Authorization Failure;
CM-MAC=9c:d3:6d:dxxxxxx;
CMTS-MAC=00:30:b8:d2:26:20;
CM-QOS=1.1;CM-VER=3.0;

--------------------------------------------------------
Startup Procedure
Procedure Status Comment
Acquire Downstream Channel 299000000 Hz Locked
Connectivity State In Progress Access Denied
Boot State OK Operational
Configuration File OK
Security In Progress Disabled
Downstream Channels
Lock Status Modulation Channel ID Max Raw Bit Rate Frequency Power SNR Docsis/EuroDocsis locked
Locked QAM256 5 55616000 Kbits/sec 299000000 Hz 5.8 dBmV 40.9 dB Hybrid
Locked QAM256 1 55616000 Kbits/sec 267000000 Hz 6.1 dBmV 41.4 dB Hybrid
Locked QAM256 2 55616000 Kbits/sec 275000000 Hz 6.0 dBmV 41.1 dB Hybrid
Locked QAM256 3 55616000 Kbits/sec 283000000 Hz 5.6 dBmV 41.4 dB Hybrid
Locked QAM256 4 55616000 Kbits/sec 291000000 Hz 4.7 dBmV 41.2 dB Hybrid
Locked QAM256 6 55616000 Kbits/sec 307000000 Hz 4.9 dBmV 41.5 dB Hybrid
Locked QAM256 7 55616000 Kbits/sec 315000000 Hz 3.8 dBmV 41.4 dB Hybrid
Locked QAM256 8 55616000 Kbits/sec 323000000 Hz 0.7 dBmV 39.4 dB Hybrid
Upstream Channels
Lock Status Modulation Channel ID Max Raw Bit Rate Frequency Power
Locked ATDMA 11 20480 Kbits/sec 32600000 Hz 45.4 dBmV
Locked TDMA 10 20480 Kbits/sec 39400000 Hz 45.4 dBmV
Unlocked Unknown 0 0 Ksym/sec 0 Hz 0.0 dBmV
Unlocked Unknown 0 0 Ksym/sec 0 Hz 0.0 dBmV
Primary Downstream Service Flow
Downstream(0)
SFID 13805
Max Traffic Rate 57344000 bps
Max Traffic Burst 16320 bytes
Mix Traffic Rate 2867200 bps
Primary Upstream Service Flow
Upstream(0)
SFID 13804
Max Traffic Rate 3170000 bps
Max Traffic Burst 16320 bytes
Mix Traffic Rate 0 bps
Max Concatenated Burst 16320 bytes
Scheduling Type Best Effort
Current System Time:Sun Dec 28 10:52:05 2014

Think i'm getting somewhere now.

Unticked the 2 boxes under the MAC and reconfigured and have been allocated a WAN IP.
When i tried to access google, it connected me to Virjin as if it was a new setup, and then came up with an error.

Will i need to change the Hubs LAN MAC and wireless MAC to match my subb?

Now i've got the Internet tick on solid green, but the data light is green instead of blue. Arggggggggg lol

Can anyone make any sense of the logs?

Event Log
Time Priority Description
Fri Jan 02 09:32:09 2015 Error (4) SW upgrade Failed after download - Incompatible SW file
Fri Jan 02 09:32:06 2015 Notice (6) SW Download INIT - Via Config file fd;kfoA,.iyewrkldJKD
Fri Jan 02 09:32:03 2015 Error (4) Missing BP Configuration Setting TLV Type: 17.8;CM-MAC=9c:d3:xxxxxxx;CMTS-MAC=00:1e:14:02:xxxx;CM-QOS=1.0;CM-VER=3.0;
Fri Jan 02 09:32:03 2015 Error (4) Missing BP Configuration Setting TLV Type: 17.9;CM-MAC=9c:d3:xxxxxxxx;CMTS-MAC=00:1e:14:02:xxxx;CM-QOS=1.0;CM-VER=3.0;
Time Not Established Critical (3) Telnet login failed from 192.168.100.10.
Time Not Established Critical (3) SYNC Timing Synchronization failure - Failed to acquire FEC framing;CM-MAC=9c:d3:xxxx;CMTS-MAC=00:00:00:00:00:00;CM-QOS=1.0;CM-VER=3.0;
Time Not Established Critical (3) SYNC Timing Synchronization failure - Failed to acquire QAM/QPSK symbol timing;;CM-MAC=9c:d3:xxxx;CMTS-MAC=00:00:00:00:00:00;CM-QOS=1.0;CM-VER=3.0;
Time Not Established Critical (3) SYNC Timing Synchronization failure - Failed to acquire FEC framing;CM-MAC=9c:d3:6d:xxxx;CMTS-MAC=00:00:00:00:00:00;CM-QOS=1.0;CM-VER=3.0;
Time Not Established Critical (3) SYNC Timing Synchronization failure - Failed to acquire QAM/QPSK symbol timing;;CM-MAC=9c:d3:xxxx;CMTS-MAC=00:00:00:00:00:00;CM-QOS=1.0;CM-VER=3.0;
Time Not Established Critical (3) No Ranging Response received - T3 time-out;CM-MAC=9c:d3:6d:xxxx;CMTS-MAC=00:1e:14:02:xxxx;CM-QOS=1.0;CM-VER=3.0;
Time Not Established Critical (3) DHCP FAILED - Requested Info not supported.;CM-MAC=9c:d3:xxxx;CMTS-MAC=00:1e:14:02:xxxx;CM-QOS=1.0;CM-VER=3.0;
Time Not Established Warning (5) Lost MDD Timeout;CM-MAC=9c:d3:xxxx;CMTS-MAC=00:1e:14:02:xxxx;CM-QOS=1.0;CM-VER=3.0;
Time Not Established Warning (5) MDD message timeout;CM-MAC=9c:d3:xxxx;CMTS-MAC=00:1e:14:02:xxxx;CM-QOS=1.0;CM-VER=3.0;




Startup Procedure
Procedure Status Comment
Acquire Downstream Channel 331000000 Hz Locked
Connectivity State OK Operational
Boot State OK Operational
Configuration File OK
Security Enabled BPI
Downstream Channels
Lock Status Modulation Channel ID Max Raw Bit Rate Frequency Power SNR Docsis/EuroDocsis locked
Locked QAM256 1 42884296 Kbits/sec 331000000 Hz -7.7 dBmV 33.9 dB Hybrid
Unlocked Unknown 0 0 Ksym/sec 0 Hz 0.0 dBmV 0.0 dB Unknown
Unlocked Unknown 0 0 Ksym/sec 0 Hz 0.0 dBmV 0.0 dB Unknown
Unlocked Unknown 0 0 Ksym/sec 0 Hz 0.0 dBmV 0.0 dB Unknown
Unlocked Unknown 0 0 Ksym/sec 0 Hz 0.0 dBmV 0.0 dB Unknown
Unlocked Unknown 0 0 Ksym/sec 0 Hz 0.0 dBmV 0.0 dB Unknown
Unlocked Unknown 0 0 Ksym/sec 0 Hz 0.0 dBmV 0.0 dB Unknown
Unlocked Unknown 0 0 Ksym/sec 0 Hz 0.0 dBmV 0.0 dB Unknown
Upstream Channels
Lock Status Modulation Channel ID Max Raw Bit Rate Frequency Power
Locked TDMA 2 5120 Kbits/sec 22200000 Hz 43.7 dBmV
Unlocked Unknown 0 0 Ksym/sec 0 Hz 0.0 dBmV
Unlocked Unknown 0 0 Ksym/sec 0 Hz 0.0 dBmV
Unlocked Unknown 0 0 Ksym/sec 0 Hz 0.0 dBmV
Current System Time:Fri Jan 02 09:33:48 2015

As the first error seemed to do with the software upgrade, i managed to upgrade it through telnet to the same as the subbed. I put it into modem only mode, as to not appear on their systems with a different LAN MAC. Still no joy. Says on the system tray (Additional Log On Info May Be Required) In the Network settings, it's got
IPv4 86.xx.xx.64
IPv4 Default Gateway 86.xx.xx.1
IPV4 DHCP Server 62.xxx.xxx.73
IPV4 DNS Server 61.xxx.xxx.232
194.168.x.xx

and from the HUB

LAN (Wireless) MAC Address 2c:b0:5d:xxxx
System Up Time 0 days 00h:02m:13s
Connection LAN IP Address 192.168.0.1
WAN IP Address 86.11.xxxx
Lease Time Remaining 6 days 23h:10m:26s
Expiry Fri 09 Jan 09:48
Current Network Time Fri 02 Jan 10:37





Modem Initialisation Stage Status
Downstream Acquisition Locked
Primary Frequency 331000000 Hz
DHCP Complete
TFTP Complete
Time Of Day 10:38:05
Security Enabled
Counters T1,T2,T3,T4,Sync,Resets 0, 0, 0, 0, 0, 0
Internet Connection IP Address Status
WAN IP Address 86.11.xxxx
Lease Time Remaining 0 days 00:28:25
Expiry Fri 02 Jan 11:06
Current Network Time Fri 02 Jan 10:38
Downstream Channels Lock Status Channel ID Frequency Modulation Rx Power SNR Pre RS Errors Post RS Errors
Locked 1 331000000 Hz QAM256 9.4 dBmV 32.9 dB 67 0
Unlocked Unknown 0 Hz Unknown 0.0 dBmV 0.0 dB Unknown Unknown
Unlocked Unknown 0 Hz Unknown 0.0 dBmV 0.0 dB Unknown Unknown
Unlocked Unknown 0 Hz Unknown 0.0 dBmV 0.0 dB Unknown Unknown
Unlocked Unknown 0 Hz Unknown 0.0 dBmV 0.0 dB Unknown Unknown
Unlocked Unknown 0 Hz Unknown 0.0 dBmV 0.0 dB Unknown Unknown
Unlocked Unknown 0 Hz Unknown 0.0 dBmV 0.0 dB Unknown Unknown
Unlocked Unknown 0 Hz Unknown 0.0 dBmV 0.0 dB Unknown Unknown
Upstream Channels Lock Status Channel ID Frequency Modulation Tx Power Mode Channel Bandwidth Symbol Rate
Locked 1 19800000 Hz TDMA 44.5 dBmV 16QAM 1600000 5120 Kbits/sec
Unlocked 0 0 Hz Unknown 0.0 dBmV Unknown Unknown 0 Kbits/sec
Unlocked 0 0 Hz Unknown 0.0 dBmV Unknown Unknown 0 Kbits/sec
Unlocked 0 0 Hz Unknown 0.0 dBmV Unknown Unknown 0 Kbits/sec







Date Time Error Number Error Description
02/01/2015 10:36:15 2436694078 TOD established
02/01/2015 10:36:15 66010100 Missing BP Configuration Setting TLV Type: 17.8;CM-MAC=9c:d3:xxxx;CMTS-MAC=00:1e:14:xxxx;CM-QOS=1.0;CM-VER=3.0;
02/01/2015 10:36:15 66010100 Missing BP Configuration Setting TLV Type: 17.9;CM-MAC=9c:d3:xxxx;CMTS-MAC=00:1e:14:xxxx:01;CM-QOS=1.0;CM-VER=3.0;
Time Not Established Time Not Established 68000300 DHCP WARNING - Non-critical field invalid in response ;CM-MAC=9c:d3:xxxxx;CMTS-MAC=00:1e:14:02:xxxx;CM-QOS=1.0;CM-VER=3.0;
Time Not Established Time Not Established 84020200 Lost MDD Timeout;CM-MAC=9c:d3:6d:xxxx;CMTS-MAC=00:1e:14:xxxx;CM-QOS=1.0;CM-VER=3.0;

I think this is your problem :

02/01/2015 10:36:15 66010100 Missing BP Configuration Setting TLV Type: 17.9;CM-MAC=9c:d3:xxxx;CMTS-MAC=00:1e:14:xxxx:01;CM-QOS=1.0;CM-VER=3.0;

Look at the 2 macs they different??

does the certificate not have to match the mac? a perfect clone

fes_786 said:

I think this is your problem :

02/01/2015 10:36:15 66010100 Missing BP Configuration Setting TLV Type: 17.9;CM-MAC=9c:d3:xxxx;CMTS-MAC=00:1e:14:xxxx:01;CM-QOS=1.0;CM-VER=3.0;

Look at the 2 macs they different??

Click to expand...

Thanks for looking in Fes What is CM-MAC and CMTS MAC? I just assumed that the second MAC was from the HUBs LAN?

@dexyweescot Yes, i have got the Certs from my subbed Hub.

I'm not sure m8

Been along time since I messed with modems

But it's saying missing BP config settings

wish i still had mines to give it a bash but it died a few weeks ago and had to get the VMDG485 sent out.

fes_786 said:

I'm not sure m8

Been along time since I messed with modems

But it's saying missing BP config settings

Click to expand...

Just checked and it is the MAC of my PC network card.

What are the BP config settings? (Baseline Privicy? Certs etc?) hmmm

@ Dexy I'm sure you could find one on ebay. I got mine at the local council recycling center shop for £1.