liamliam
Inactive User
- Joined
- Mar 15, 2005
- Messages
- 301
- Reaction score
- 0
ive adjusted it a small bit not my work
To flash the firmware onto the Ambit250 you must use a MAX232 interface. Connect this up as per-normal.
Connect up the cable feed to the modem, and the ethernet cable to the PC LAN card.
Make a new folder on your PC.
Copy the "250hack_dump_telnet.bin" into it.
Copy the file "tftpd32.exe" (this was posted along with the ambit200-sigma hack)
In Windows networking:
Set your IP address to: 192.168.100.10
Set your GateWay to: 192.168.100.1
Start tftpd32.exe
Now start hyperterminal and connect to the COM port of the PC using these settings:
Bits per second: 115200
Data bits: 8
Parity: None
Stop bits: 1
Flow control: None
Power the modem up.
Code:
Enter '1', '2', or 'p' within 2 seconds or take default...
Choose option P
Code:
Board IP Address [0.0.0.0]: 192.168.100.1
Board IP Mask [255.255.255.0]:
Board IP Gateway [0.0.0.0]:
Board MAC Address [00:10:18:ff:ff:ff]:
Internal/External phy? (i/e)
Now you should get the main menu...
Code:
Main Menu:
==========
d) Download and save to flash
g) Download and run from RAM
c) Store icePROM bootloader to flash
b) Boot from flash
e) Erase flash sector
m) Set mode
s) Store bootloader parameters to flash
i) Re-init ethernet
r) Read memory
w) Write memory
Choose option D
Code:
Board TFTP Server IP Address [0.0.0.0]: 192.168.100.10
Enter TFTP filename []: 250hack_dump_telnet.bin
You should now see the following appear:
Code:
Free store: a0500000
Starting TFTP of 250hack_dump_telnet.bin from 192.168.100.10
Getting 250hack_dump_telnet.bin using octet mode
.................................................. ..............................
.................................................. ..............................
.................................................. ..............................
.................................................. ..............................
.................................................. ..............................
.................................................. ..............................
.................................................. ..............................
.................................................. ..............................
.................................................. ..............................
.................................................. ..............................
.................................................. ..............................
.................................................. ..............................
.................................................. ...............
Tftp complete
Received 2097152 bytes
HCS failed on Image 0 Program Header
Next you should get:
Code:
Image does not have standard header. Do you wish to store it? [n] Y
Programming 2097152 bytes
Enter sector to start store: 0
The modem will now write the new firmware to the flash.
Code:
Store parameters to flash ? [n]
Now you should get the main menu again.
The modem is now flashed and you can close this copy of Hyperterminal and disconnect your MAX232.
Set the LAN card back to dynamic IP and Gateway and reboot the modem.
Give it a minute to power up.
Now start a new copy of Hyperterminal, this time we change the port to TCP/IP (Winsock)
In the Host address box enter 192.168.100.1
Leave the port number as 23
Code:
Broadcom Corporation Embedded Telnet Server (c) 2000-2003
WARNING: Access allowed by authorized users only.
Press enter
Code:
login: admin
password: infinite
WARNING: It is possible to crash the system, cause a deadlock,
or cause the connection to be shut down via Telnet.
Run commands with caution!
Console now switched to Telnet session...
Scanning DS Channel at 240000000 Hz...
Scanning DS Channel at 249000000 Hz...
...
We are now back in the console using telnet.
It should be scanning for a frequency to lock onto. We want to stop this.
Code:
cd \cm_hal
scan_stop
cd \
Now open Internet Explorer and brose to the following page: http://192.168.100.1
Login: Infinite
Password: SetValue
NOTE: Case Sensetive!!! Capital I,S and V
NOTE: FireFox does not load the pages - you must use Internet Explorer
Click on SECURITY NTL: 402750000
Type in your DS frequency and click apply.
Switch back in the Hyperterminal window.
Code:
cd \non
write
cd \
We now need to change the MAC address. We do this by writing the new ethernet mac into RAM first.
Assuming our MAC address is AA:BB:CC D:EE:FF
Code:
write_memory -s 4 0x807e8b98 0xAABBCCDD
write_memory -s 2 0x807e8b9c 0xEEFF
Next we must force the modem to commit this to flash.
Code:
cd \non
write
cd \
Now to confure the other settings required to get online.
Code:
cd \non
cd hal
cm_tuner 19
write
annex_a
write
usb_mac_address aa:bb:cc:dd:ee:ff
write
Power the off and on again.
Give it a minute to connect and obtain an IP address. You should then be able to access the web.
Now to force the modem to use the 10mb config file.
Reconnect to the modem via telnet using Hypertermal (as you did before)
Type in:
Code:
cd \non
cd doc
dhcp_settings
My IP Address: [192.168.100.1]
Subnet Mask: [255.255.255.0]
Router IP Address: [192.168.100.254]
Those are the only 3 that really need to be changed.
Do you want to change the other settings? [no] Y
TFTP Server IP Address: [10.10.10.254] type in the IP of your TFTP server here
Config file name: [cm.bin] cmreg-ntlhm120-bund03.cm
Time Server IP Address: [10.10.10.254]
SysLog Server IP Address: [10.10.10.254]
Now type in the following lines:
Code:
enable force_cfgfile true
write
Now reboot the modem.
You should still be able to connect to the web. You can check which config file you are running by accessing
http://192.168.100.1 and look in the Connection page.
Now it is important to change the modems telnet username & password to prevent unauthorised access.
Reconnect to the modem via telnet using Hyperterminal (as you did before)
Type in:
Code:
cd \non
cd msg
user_name <your desired username here>
password <your desired password here>
write
The settings will not be change until you reboot your modem.
To flash the firmware onto the Ambit250 you must use a MAX232 interface. Connect this up as per-normal.
Connect up the cable feed to the modem, and the ethernet cable to the PC LAN card.
Make a new folder on your PC.
Copy the "250hack_dump_telnet.bin" into it.
Copy the file "tftpd32.exe" (this was posted along with the ambit200-sigma hack)
In Windows networking:
Set your IP address to: 192.168.100.10
Set your GateWay to: 192.168.100.1
Start tftpd32.exe
Now start hyperterminal and connect to the COM port of the PC using these settings:
Bits per second: 115200
Data bits: 8
Parity: None
Stop bits: 1
Flow control: None
Power the modem up.
Code:
Enter '1', '2', or 'p' within 2 seconds or take default...
Choose option P
Code:
Board IP Address [0.0.0.0]: 192.168.100.1
Board IP Mask [255.255.255.0]:
Board IP Gateway [0.0.0.0]:
Board MAC Address [00:10:18:ff:ff:ff]:
Internal/External phy? (i/e)
Now you should get the main menu...
Code:
Main Menu:
==========
d) Download and save to flash
g) Download and run from RAM
c) Store icePROM bootloader to flash
b) Boot from flash
e) Erase flash sector
m) Set mode
s) Store bootloader parameters to flash
i) Re-init ethernet
r) Read memory
w) Write memory
Choose option D
Code:
Board TFTP Server IP Address [0.0.0.0]: 192.168.100.10
Enter TFTP filename []: 250hack_dump_telnet.bin
You should now see the following appear:
Code:
Free store: a0500000
Starting TFTP of 250hack_dump_telnet.bin from 192.168.100.10
Getting 250hack_dump_telnet.bin using octet mode
.................................................. ..............................
.................................................. ..............................
.................................................. ..............................
.................................................. ..............................
.................................................. ..............................
.................................................. ..............................
.................................................. ..............................
.................................................. ..............................
.................................................. ..............................
.................................................. ..............................
.................................................. ..............................
.................................................. ..............................
.................................................. ...............
Tftp complete
Received 2097152 bytes
HCS failed on Image 0 Program Header
Next you should get:
Code:
Image does not have standard header. Do you wish to store it? [n] Y
Programming 2097152 bytes
Enter sector to start store: 0
The modem will now write the new firmware to the flash.
Code:
Store parameters to flash ? [n]
Now you should get the main menu again.
The modem is now flashed and you can close this copy of Hyperterminal and disconnect your MAX232.
Set the LAN card back to dynamic IP and Gateway and reboot the modem.
Give it a minute to power up.
Now start a new copy of Hyperterminal, this time we change the port to TCP/IP (Winsock)
In the Host address box enter 192.168.100.1
Leave the port number as 23
Code:
Broadcom Corporation Embedded Telnet Server (c) 2000-2003
WARNING: Access allowed by authorized users only.
Press enter
Code:
login: admin
password: infinite
WARNING: It is possible to crash the system, cause a deadlock,
or cause the connection to be shut down via Telnet.
Run commands with caution!
Console now switched to Telnet session...
Scanning DS Channel at 240000000 Hz...
Scanning DS Channel at 249000000 Hz...
...
We are now back in the console using telnet.
It should be scanning for a frequency to lock onto. We want to stop this.
Code:
cd \cm_hal
scan_stop
cd \
Now open Internet Explorer and brose to the following page: http://192.168.100.1
Login: Infinite
Password: SetValue
NOTE: Case Sensetive!!! Capital I,S and V
NOTE: FireFox does not load the pages - you must use Internet Explorer
Click on SECURITY NTL: 402750000
Type in your DS frequency and click apply.
Switch back in the Hyperterminal window.
Code:
cd \non
write
cd \
We now need to change the MAC address. We do this by writing the new ethernet mac into RAM first.
Assuming our MAC address is AA:BB:CC D:EE:FF
Code:
write_memory -s 4 0x807e8b98 0xAABBCCDD
write_memory -s 2 0x807e8b9c 0xEEFF
Next we must force the modem to commit this to flash.
Code:
cd \non
write
cd \
Now to confure the other settings required to get online.
Code:
cd \non
cd hal
cm_tuner 19
write
annex_a
write
usb_mac_address aa:bb:cc:dd:ee:ff
write
Power the off and on again.
Give it a minute to connect and obtain an IP address. You should then be able to access the web.
Now to force the modem to use the 10mb config file.
Reconnect to the modem via telnet using Hypertermal (as you did before)
Type in:
Code:
cd \non
cd doc
dhcp_settings
My IP Address: [192.168.100.1]
Subnet Mask: [255.255.255.0]
Router IP Address: [192.168.100.254]
Those are the only 3 that really need to be changed.
Do you want to change the other settings? [no] Y
TFTP Server IP Address: [10.10.10.254] type in the IP of your TFTP server here
Config file name: [cm.bin] cmreg-ntlhm120-bund03.cm
Time Server IP Address: [10.10.10.254]
SysLog Server IP Address: [10.10.10.254]
Now type in the following lines:
Code:
enable force_cfgfile true
write
Now reboot the modem.
You should still be able to connect to the web. You can check which config file you are running by accessing
http://192.168.100.1 and look in the Connection page.
Now it is important to change the modems telnet username & password to prevent unauthorised access.
Reconnect to the modem via telnet using Hyperterminal (as you did before)
Type in:
Code:
cd \non
cd msg
user_name <your desired username here>
password <your desired password here>
write
The settings will not be change until you reboot your modem.
Last edited:
