Motorola SB3100 Manuel d'utilisateur

Ok Guys and Gals I decided to put all the tutorials together kind of like a Haynes Manual to modem hacking. Everything that’s covered within is avail

3. Now you will have a list of everybody who's posted a request in your Town / City. Note down the names of the people who've posted reques

7. The firmware should now flash after you have pressed enter 8. On completion it will say if no further programming is needed turn off the modem

If so then congratulations, you have just flashed a SB5100 modem with Fercsa`s X2 stealth 13.5 firmware. To get hold of a USBJTAG or software you c

14. Motorola SB5101 14a. Method 1 Unfortunately theirs no hacked firmware available yet for the SB5101 but have a read of the following that was poste

14b. Method 2 Here’s another way to mod the SB5101 without using modified firmware. The following screen shots and text were put together by Boltar

(see image). This adapter changes the pin outs to the same order as the ambit modems, allowing the standard pre-built Max232/3 cables to work without

Code: cd /cm_hal scan_stop Now enter the following commands to setup your modem. Note some of these commands need alteration. Code: cd /non cd hali

15. Webstar DPC2100, EPC2100 All screenshots and text were compiled by Watsy1612 (of Digitalworldz) This guide will teach u how to clone a Webstar

Lye the modem down flat so the Broadcom writing on the big Broadcom chip is upside down, then start at the top of the white connector. Pin 1 = Rx Pin

C) Store iceProm Bootloader to flash B) Boot from flash E) Erase Flash Sector M) Set mode S) Store Bootloader Parameters to flash I) RE-ini

16. Baseline Privacy (BPI) Hack This text was compiled by Koevoet In some areas, NTL are initializing baseline privacy (BPI), this is the first step

2d. Know your DOCSIS If your area on the map starts with: 1, 2 or 6; Then you are in a Pure NTL area: International DOCSIS. 3, 4 or 5; Then you are in

17. Directly install SB5000 Series modems to PC and run off PC PSU Here’s how you can directly install the SB5000 series modems to your PC and run it

Once this is done, it should look like this, or as near as. You can just use the power adapter that came with the surfboard, and if you want to do

Picture showing internal power (Green Lights) More sample pictures below: Regards, Granty.

18. Secret MIB’s & Secret way to upgrade cable modem via BITFILE The following text was compiled by Dshocker (of TCNISO) Look down at the bottom

The value of your HFC MAC address. (Calc.exe) 2) The modem then TFTP gets a 'bitfile' from 192.168.100.10 4100 modem will TFTP get SB4100

6) To finish up disable the factory MIB by setting the OID 1.3.6.1.4.1.1166.1.19.4.29.0 to int 1 Example: snmpset -v2c -c public 192.168.100.1 1.3.6.

cmPrivateFactoryGroup 1.3.6.1.4.1.1166.1.19.4 1.3.6.1.4.1.1166.1.19.4.1.0 cmFactoryVersion 1.3.6.1.4.1.1166.1.19.4.2.0 cmFactoryDbgB

1.3.6.1.4.1.1166.1.19.4.31.1.0 cmFactorySuspendStartup 1.3.6.1.4.1.1166.1.19.4.31.2.0 cmFactoryDownstreamFrequency 1.3.6.1.4.1.1166.1.19.4.31.3.0 c

1.3.6.1.4.1.1166.1.19.6.2.1.0 cmCfgAuthorWaitTimeOut 1.3.6.1.4.1.1166.1.19.6.2.2.0 cmCfgReauthorWaitTimeOut 1.3.6.1.4.1.1166.1.19.6.2.3.0 cmCfgA

Links Well it looks like were at the end, I hope some of the above has helped you on your way to cloning, whatever modem it is you’ve got. Hopefully e

Telewest: Network Map I DOCSIS Modems will only work in Pure NTL & TW areas. E DOCSIS Modems will work in all areas, i.e.: ex C&W, Pure NTL

2e. Config file Database, accurate on: 03/06/2007 Warning!!! This Database could change at any moment, config files are constantly being reviewed and

NTL (Continued) Config File Name Down Speed Up Speed Notes cmreg-ntlhm200-midxbox.cm 2Mb 256kb 2 IP Address's cmreg-ntlhm200-mid-ps2.cm 2Mb 2

3. Spoofing You NIC (Network Interface Card) Now the above is not essential but if you have a subscribed modem which is recommended, and you plan to c

4. IP Address Here’s some very simple and quite helpful fault finding information. If you don’t know how to check your IP address, do the following.

5. MAX 232 & 233 Two really easy circuits to build the Max 233, is probably the easiest of the two and more reliable. If you’re a bit of lazy Tw*t

5b. MAX233 This one is simple to put together. Parts List 1 x MAX233 Microchip 1 x 9pin DB9 Female Serial Cable Optional Parts 1 x 20 Pin Microchip

Jabs Place Max 233 PIN 3: TX PIN 4: RX PIN 5: POWER (-) PIN 6: POWER (+) Wayneeboy19117 VCC = RED GND = BLACK RXD = YELLOW TXD = GREEN You’ll n

Contents 1. Cable Modem Basics...4 2. Sniffing for MAC Address’...

6. Ambit 200 Ok I’ve left out the Ambit 100 & 120 for the same reasons as Cleric and here’s another great tutorial by the man himself. The followi

Once this is done attach the serial end to your computer in COM1, don’t plug the power into your modem yet. 6b. Communicating with your modem Next co

The modem will not lock on so the data will keep running in HyperTerminal window this is fine Now enter the non update command: cd non-vol\snmp max_

Once you’re at the command line type the following: Cd non-vol press Enter Cd halif press Enter Once you have done the above all you need to d

6c. Telewest (TW) Stream Now as I’ve already mentioned the NTL Ambits can be used on a TW stream to do this you must do the following as put together

Now just delete one of the frequencies and in the box that says history frequency enter the correct downstream frequency for your area and click on “a

As you can see the downstream frequency has been changed to match TW’s configuration. Please note the hacked Ambit modems are under attack From NTL a

2. Ok once the Willem is set up put the chip in with the circle end at the top near the red jumper (29f). Put the serial lead in and the power lead in

4. Once this is selected hit the id button to id the chip and you should get the following: 5. Once you hit ok, erase the chip the erase button is u

As you can see it gives you the dip switch settings but they are back to front as you can see they go from 12 to 1. 7. Now what you have to do is cle

9. Motorola SB4100 & SB4200 ...68 9a. Change Firmware on Surfboard Modem -

I hope this helps you, please feel free to add to this tutorial, as some people might have different ways of doing this, but this the way I got it to

Setting up the locked modem Now, it’s time to connect your modem. You need to plug in Ethernet cable to you PC and MAX232 adapter to your pc serial

Then, Display Main Menu. Here press D to download the image and save to flash. It will ask for server and file details. TFTP Get Selected Board TFTP

Free store: a0300000 Starting TFTP of image1.bin from 192.168.100.2 Getting image1.bin using octet mode ... This is

6f. Latest release for the Ambit 200 The following screen shots and text were put together by Boltar SIGMA X2 Build 125 *CRACKED* Ambit 200 Tutorial

Now power up the modem and press ‘p’ in the terminal window quickly. Enter the 192.168.100.1 for the Board IP Address, just press return for the oth

After entering this data you should be presented with the flash menu. At this point, start the tftpd32 program that came with this archive. Make su

Now select ‘d’ from the menu options in the terminal window and enter 192.168.100.10 for the Board TFTP Server IP Address and sigmax2_125_cracked_dum

You will then be asked the sector at which to start the store. Enter 0. It will then start to flash the chip with the new firmware. When it’s finis

You will then be returned to the main menu. You may now reboot the modem. The new Sigma firmware should start to boot. Lots of data will flash past y

1. Cable Modem Basics Ok I’ll leave out as much jargon as possible. A cable modem is identified by the cable company by its Mac address which can usu

You can enable telnet using this interface too, as well as change the MAC address or change the firmware. If you enable telnet, make sure you change

6g. Restoring a Compatible Bootloader. If you have Sigma on your Ambit200, you no longer have a working flash menu at bootup (Where you press ‘p’ when

Now click on Write Bootloader and browse to the bootloader.bin file included with this archive. It should then begin to write the file to the modem’s

6h. Ambit 120 Tutorial All screenshots and text were compiled by Granty & Mark370 of Unlocker Forums Files needed 1) ntlhm120_ntl0001.cpr; 2)

If the non IC Blackcat cable is set up for a Motorola modem, you’ll need to install the pin header, to the underneath of the board like this. Howe

Then connect Blackcat cable and run software. 1) Go to the flash tab and click detect 2) Click on write, Search for the bin folder and select: Infi

5) Go to area network connections and click on “Internet Protocol (TCP/IP)”, and select properties. 6) Select the “Use the following ip

8) Start Tftpd32, and making sure that the current directory is showing the folder containing your files, and by clicking “Show Dir” you can make th

11) Now it will ask for Board IP Address, put: 192.168.100.1, and then press enter about 4 times until you get to the “Main Menu”, where you press: d

15) Once done, reboot modem and press any key within 2 seconds, then select choice 6. 16) Now respond as shown in the picture above and text below:

2. Sniffing for MAC Address’ The first thing you need to understand is UBR’s (Gateways). The following text was put together by Viiiper 2a. Cable M

Type: 2 (again) & press Enter 21) You will be asked to enter the Tune frequency in kHz, mine is 402750, you will need to know yours before you c

23) Once this is done unplug modem and connect feed cable, HyperTerminal will still be running on connection of modem. Go into a web browser and goto:

7. Ambit 250 - Guide to Hacking v2 The following text was put together by Astra NOTE: This was only tested on NTL ex-C&W. Other providers will ne

Board MAC Address [00:10:18:ff:ff:ff]: Internal/External phy? (i/e)[i] Now you should get the main menu: Main Menu: ========== d) Download and save

Next when asked “Do you wish to store it?”, type: Y, & “sector to start store”: 0 (zero) Image does not have standard header. Do you wish to stor

Now open Internet Explorer and browse to the following page: http://192.168.100.1 Login: Infinite Password: SetValue NOTE: Case Sensitive!!! Capita

Power off the modem for a few seconds and then back on again. Give it a minute to connect and obtain an IP address. You should now be able to access t

7c. Finding your TFTP IP All screenshots and text were compiled by Granty Here we have an example of the 250 asking for your TFTP address. Now to

2) Click on DHCP and scroll down to media sense, select disable, and it will ask you to re-start the program 3) Go back and select start snif

If you would like to share the Macs you have found you can save a list without the need of endless typing, just right click on a MAC, and select “Dump

So for MAC trading purposes you need to trade with anyone outside UBR05, for example UBR01. Areas/ cities are normally segmented into approx 10 segmen

C) Select discover from the DHCP Menu: D) Now just wait, after a while you will obtain your TFTP Server IP NOTE: I have tried this method but it

7d. 250 configurator guide All screenshots and text were compiled by Mark370 of Unlockers Once your Ambit250 has had the firmware flashed successfu

CW: annex_a cm_tuner: 19 ds_frequency: 586750000 TW: cm_tuner: 19 annex_b ds_frequency: 331000000 Config file: cm-20480-768 [20megs] Getting

NOTE: MAC address has been removed for security reasons 4. Once all boxes are filled in and ticked, press: Write Settings, now the app will write y

1. First stop channel scan with this command: cd \cm_hal scan_stop cd \ (press enter) 2. Now enter the bpi cmd cd non-vol cd docsis enable bp

8. Motorola SB3100 I’ve never done a SB3100 myself but I found this posted on www.world-of-digital.com The following screen shots and text were put t

6) All we need checked r Enable ftp server…always run and auto IP also check our path to the vxworks is showing: 7) If all is well we should see

11) You may now close netboot as we don’t need it anymore/Temporary firmware is now in place 192.168.100.1/hack.html…….. now time to make it permanent

9. Motorola SB4100 & SB4200 I don’t know who put this tutorial together but it was posted on www.world-of-digital.com by 666 9a. Change Firmware

NOTE: Each model has own specific files so ensure you use the correct ones NOTE: Remember to type the location to the file "vxWorks.st” NOTE: Se

Once you have this screen up all you have to do to start sniffing for Mac addresses on your gateway is go to DHCP and select start sniffing as seen in

6) Browse to your firmware and then click on start update. 7) Wait, it can take up to 5 minutes. Your modem will reboot if successful. 9b. Modems

10. Hacked Firmware Ok hacked firmware comes in three flavors Fibercoax, Hackware and Sigma. Personally I stay away from Sigma as I just don’t like th

We left this feature for advanced users that wants to change Firmware's temporarily (an example would be going to DOCSIS 1.1 FW and back to 1.0)

Status Page Originally MADE possible by FIBERCOAX TEAM Here’s a screenshot from the status page so you’ve got an idea of what it looks like:

10b. Hackware Hackware is a lot more, straight forward, with its easy user interface via the “Hack tab” below is a screen shot which is pretty self ex

11. SB4100/SB4200 using a MAX232/MAX233 serial cable The following screen shots and text were put together by me, Cableguy69 These are the solder po

11c. SB4101 11d. SB4200 11e. SB5100

Now once you’ve connected your interface cable: 1) Start by going to: Start  Control Panel  Network Connections 2) Right click local area connect

8) Once Boot.exe has finished running reboot your modem and go to 192.168.100.1 and you should now see this page:

11e. “bootp referenced but not included" Error (SB3100/SB4100/SB4200) ome modems may get the following error. "bootp referenced but not inc

Once finished sniffing you should have a picture like this with address and Macs in etc: You can save these addresses by right clicking on the addr

SBxx00 TELNET COMMAND LINE se the following commands in your TelnetU Client if you get error "bootp referenced b3100t/vxWorks.st =192.168.100.1 h

12. Blackcat A Blackcat cable is the interface you’ll need if you plan on modifying a Motorola SB5100 below are the schematics for making a Blackcat.

12c. Making a Chipless Blackcat Ok so now you’ve got your Blackcat made up it might be wise to install a ten pin header onto your modems JTAG points t

At the other end of the idc cable cut the wires like in the pic below. You will not be using 3,5,7,9 so cut and remove these wires Solder wires to th

12d. Soldering a pin header All screenshots and text were compiled by Granty This is a guide to enable you to solder the 10 pin Header onto the Mot

2) Now with a pair of pliers carefully twist the metal between the 2 cut points back and forth until it becomes loose then it should easily come off.

3) Once this has been done, and all sharp edges tucked away you can place your header onto the surfboard, but it must be placed in the correct way, a

5) The next thing is to plug your soldering iron in and when hot enough, tin the end with some solder. This will increase the flow when you come roun

13. SB5100 Tutorial with Broadcom Commands All screenshots and text were compiled by Granty 1) Connect cable to surfboard 2) Start Blackcat soft

5) Go to Memory tab and select read all: This will take a while, when finished save file as blackcat.1,

2c. Mac Swap Tutorial There seems to be loads of people struggling to get their heads round the Mac Trade Threads, so I've put this together to h

6) Go to the flash tab and click Detect 7) Click write all, open the SB5100 bios folder and select the nosh file and open

8) This is the page you will have on display next; don’t panic because this is where you will have to wait at least 40mins for it to finish what its

11) When done, unplug the power cable from modem and re-connect 12) Open up an internet browser and goto: http://192.168.100.1/

13) Go across to the sigma tab & put a known working Mac in: “HFC MAC Addr:” and then click Change next to that box. 14) Unplug power cable agai

17) Go to the frequency tab and type in your downstream frequency & click Change, (mines is NTL area, enter yours as appropriate) 18) Go back to

19) Unplug power cable & reconnect. Go to http://192.168.100.1/ then Sigma page Here type in a valid and working MAC address and press Change. N

13a. USB JTAG ON A SB5100 USING FERCSA`S X2 STEALTH13.5 All screenshots and text were compiled by Koevoet 1. Firstly the JTAG will connect to the m

3. Now you need to select the type of modem you are going to flash, to do this click on tools then config, it will then open the following menu: In

5. Now we need to issue 2 more commands to get the modem ready for programming these are: ldram & then program As you can now see in the botto