Getting Docsis Cable Modem Firmware

[Downloading...]

Hello guys,

I'm trying to get to know my cable modem with integrated router better but I can't seem to find any firmware online (it's a CBN 6643E)

I read one guy was able to root it a few years ago and since then it has been updated, but I can't seem to find how he did it. I think he somehow managed to extract the firmware since he asked a binwalk question on devttys0's website.

Now before I open up my modem (which is illegal I suppose since it is provided by my ISP) how would I be able to extract the firmware to analyse it?

Would it be possible to somehow sniff the traffic from the coax cable to eventually grab an update file or something?

There is no web server running on the modem/router and settings are only accessible trough ISP's website (which sucks if website is offline I can't change my network settings).

So there is no way to exploit it trough a running service.

I am new to hardware hacking so take it easy  

 

Greetings,

 

Down...

[kao]

In general you'll need to find the serial port or other diagnostic interface and try to gain access from there. Good starter is here: https://deadcode.me/blog/2016/07/01/UPC-UBEE-EVW3226-WPA2-Reversing.html 

Read both main article and the other articles it links to..

 

14 hours ago, Downloading... said:

Would it be possible to somehow sniff the traffic from the coax cable to eventually grab an update file or something?

Not unless you have a lot of experience and can make custom sw/hw. Google "Hacking DOCSIS For Fun and Profit".

[secursig]

the cable company controls the modem image file and version, as well as other settings using TLV's in the provisioning file. this file is specific to your modem HFC MAC and pushed to the modem from the CMTS after the modem finishes all the required layer 1 initializations...ranging, registration. the modem will only pull a different image if the checksum isn't valid (depends on the firmware) or your ISP tells it to switch to another version. if you want to start static analysis on the code your best bet is to dump it directly from the flash on the board or just try to find it online ( might be harder ). usually firmware upgrade packages are encrypted or obfuscated in some way so it might be easier not to deal with that and dump it straight from flash. it's going to be hard to do without opening.

i have seen a lot of modems that were designed for debugging, but they are special debug hardware parts provided to the ISPs for their lab. the motorola ones for instance are orange. the only difference is they have an external serial interface ( uses proprietary connector  and cable )...but it's just RS232. If you look inside on the board it just has a built in TTL level converter that converts the logic levels to rs232 so you can attach your computer. a lot of the production modems also have this spot on the PCB with the chip missing, and you can gain access to the console simply by inserted a level converter inline. if the modem has production firmware on it, you most likely wont be able to do much on the console except pull debug logs and see the modem as it's performing its initialization routines...unless you can find a vulnerability. what is your goal?

here you can see the stereo jack on the top that the debugging cable plugs into. at this point its already rs232 ground, tx, rx since the chip is inside.

 

what is your goal?? if you want to experiment it might be easier to just get another modem and call your ISP and have them switch the HFC mac on your account to a modem you already have access to the firmware, or more tools.

 

cheers

[momahed]

Hello! Good evening to all, a pleasure, regarding the question of the friend who wanted to extract the firmware from the cbn !! If you can write to me in inbox, just use flashcat or ulink, soic and that's it, if someone in the European area does not care about the country for hfc test they write to me in inbox