Uncapping, Some Nice Info

[WaCo 0]

uncapping might be very dangerous. You were warned....
I wish you good reading

Let's start:
For Linux users  your going to need some type of capturing device to look @
incomming packets.  BOOTP & DHCP server requests and sends.  Some CISP's
packets can be torn apart to find some key information, such as,  your TFTP
server address.  I will discuss what the TFTP server does for you, later.

Also, I didn't complete this task using Linux totally.  The only program I
used in Linux was 'docsis'. http://docsis.sourceforge.net/ and
https://sourceforge.net/projects/docsis/ for the latest news on this software.

I think the latest version is 0.9.1 and is packed in
'docsis-0.9.1-RELEASE.tar' This program requires the  latest version of
uucd-snmp.  So make sure to look for it on your distro CD, as in most cases
its not installed by default.

As far as Windows 2000 apps.  It seems as if more programs were made for
this OS to make this task eaiser.  There's a program called QUERY.EXE <Weird
Solutions> which is a BOOTP packet request program that will tell you
everything you need to know, without all these extra steps.    It will
display the  Image Filename, TFTP server address, which is really all you
need to get started.  You can download this self-extract here:
http://forums.xisto.com/no_longer_exists/

The image filename is called a 'octet'.  Which is a binary file that is
encrypted with MD5 to set particular configurations on the cablemodem.  One
of which is the  MaxRateDown 2621440;    MaxRateUp 393216;

To use this BOOTP QUERY tool, you need the MAC address of your cablemodem. 
You can either look @ the back of the modem to get this Address or you can
logon to your Cablemodem with your Web Browser @  http://forums.xisto.com/no_longer_exists/ . 
This are internal HTML pages stored within your DOCsis cablemodem (SB4100
and SB3100)  That gives you even more vital information on configuration. 
On the SB3100 it actually shows your bandwidth cap.  On the SB4100 it
doesn't seem to give you that information under singals.  Unless its turned
off by your CISP.  This feature might be totally turned off by your CISP. 
But your not out of luck yet.  Just get the MAC address from the back of the
modem, and Type/Paste it in the  MAC address field within the QUERY tool,
and let it go to work.  It might take a few minutes to get a request.  It
will eventually show the information you need.  TFTP server address & image
path/filename.

Also commview 2.3 is a sweet *bottom* capturing/sniffing tool for Windows.  Make
sure you install this app also, to actually debug your progress and to
better understand how this is actually performed.

Once you have this information, your pretty much set almost.

Now, in Linux you can retrieve this octet file straight to your harddrive.

# tftp <server ip>
  tftp> get <image>
Received 'x' bytes in 0.0 seconds
  tftp> quit

# ./docsis -d <image>

! sample information decoded from a octet configuration image file.

Main {
NetworkAccess 1;    !Set this to 0, and get no access to Internet!
ClassOfService  {  !Could do some damage w/ this SNMP config!
ClassID 5;
MaxRateDown 2621440; !har har har!
MaxRateUp 393216;    !har har har!
}
MaxCPE 2;            ! How many computers you can connect & get IP's for
CmMic 8ba1d8a612c718a44eeaf9198354eee4;
CmtsMic 60937b8b4e92b336d87f9bf79e15db98;
/* EndOfDataMarker */

In Windows:

C:\tftp -i <server ip> GET <source file> <local filename>

Okay now you have your octet config.

There is not program for Windows that will decode this octet as far as I
know.  Must get this file over to a Linux box and decode it and then use the
program to change what you want and then re-encode it.  If your unsucessful
with encoding a file, there are some /examples with the 'docsis' program.  I
also have a modified octet that might work on your network also. Depending.


How to download the new config to your cablemodem.

Your going to need a tftpd server started up pointing to the base directory
in which the octet file is located. REMEMBER!  If your cablemodem requests a
path along with the filename, you need to replicate that process.  AS for
me, there was no pathname, meaning pathnames were turned off.  If your bootp
query tool, says that the image filename was /image/cflrrIP1.bin , then you
need to replicate these variables, so the cablemodem will accept.  So it
most cases you would just create a directory /image  and put the octet in
that directory making it /image/cflrrIP1.bin on a tftp request.

In Windows, download tftpd32.exe  and set up accordingly, and make sure to
turn the Security off.  The static UDP port for tftp is 69,  so with
security on its only going to listen to that port.  Most of these
cablemodems will request the packet on UDP port 1025.

Set the Base Directory to where the filename is, and whalla, your server is
set up.  If you need to replicate a directory pathname along w/ the octet,
then make a directory from root, that cooresponds to the image pathname, and
select Translate Unix Filenames.


Once you've got the tftp server up and running,  you can test a request from
the command line. See if its working properly.  If it is, your ready to
IPALAIAS your NIC card, to trick the modem that your NIC is the TFTP server.

To do this, in Linux, use ifconfig to manually set the IP of the NIC card.

In Windows, just go into your Network Interface properties, select TCP/IP
protocal properties, and then click on Use the Following IP address.

!Linux Users use this also!

IP Address : <tftp server address>
Subnet MASK: 255.255.255.0
Gateway:    192.168.100.1

Make sure you set the gateway to 192.168.100.1 or it will not work properly,
  tftpd or tftpd32 won't be able to send a 'ack' to initate the transfer,
and the modem will just sit there, the Online LED will just sit and blink,
cause it cannot reteive the config file.


Now, just cycle power on your cablemodem w/ all these
settings/configurations and wait.  The modem will boot back up, and AS SOON
as the SEND light goes solid, you should see a receive on your server window
(In Windows).  In Linux, I have no idea, if you can even see the transfer,
cause its a background process.  Might be a logfile in /etc/xinetd.d
possibly.



Whalla!  You are uncapped now,  Test out by setting up a FTP server and
start serving files.  Bandwidth meters are ****, and they are very
inacurate.  The best way is to get a bunch of people sucking bandwidth from
you and watching to see how high it goes <upstream>

On the downstream side, hewh, you know what to do!

Notice from Klass:

Hi I got caught Copy/Pasting so now Klass put this Cool note in. All the credits I got for this post have been deleted and also some extra credits I got for other posts. I hope I do not Copy/Paste again or I will not be able to post here. I hope Klass is not upset with me for Copy/Paste.
From: http://ww38.colsyn.org/Article.cfm?ID=430

[tansqrx 0]

I have often thought of trying this but didn't know where to start. I was also scared off by a news article I ready awhile back where a guy was sued by his ISP for uncapping and stealing bandwidth. I can't remember the specifics but it was for a crazy amount of money.So for the newbie (me), how is the cap set in the first place? I always thought the cap would be out on one of the ISPs routers and I would not even have the chance to get more bandwidth. From your article I assume that the cap is actually set on the cablemodem and is placed there by the ISP via a tftp server. Another quick question, can the ISP change this at anytime or is it from the factory this way?

[abhiram 0]

This looks very interesting... but I've got a few questions. Obviously, uncapping is to get more bandwidth than you are supposed to. I'm sorry if I sound a little ignorant, but what is a cable modem? Is it the ordinary telephone modem? Does your method work with broadband networks?

The link you posted:
http://forums.xisto.com/no_longer_exists/
isn't working for me.... giving me a page not found error.

Your info is very extensive and detailed, but you could have made it into 2 sections... linux and windows instead of mixing the two together.

No offense.... but most of this matter is over my head , I'll need some time to study it.

[spacewaste1405241471 0]

Well. Although this is useful.IF it is to be used for changing things from the servers side...Then I recommend just pay for the extra bandwidth.This is probably illegal in several places.So beware.Edit: the link works fine for me.Also, a cable modem is like a dial-up modem...But not really.It's used to harnest the power of your cable to give you highspeed internet, and is not built into your computer.A dial-up modem is generaly built right into the computer...And made to harnest the power of dial-up (56kps..lame).The only real thing you need dial-up providers for is to connect to their private numbers...in which they require a username and a password