.:Navigation

Main

Software

Firmware

Forums

Wiip!

The Book

Development

Contact

Tutorials

Videos

Shop


.:Members

Username

Password?

Remember Me


.:Popular

SIGMA Modem: $45

 

Check out

The finest in geek entertainment!

NO STARCH PRESS

How to EtherBoot a Surfboard modem

 

The term EtherBoot is often used to describe the process of temporarily booting firmware into a cable modem via Ethernet. The main purpose of going this it to change firmware of the device or to install a third party modification, such as SIGMA.

 

The process works as follows: you use a special cable known as a RS232 to TTL converter (also known as a console cable) to connect the serial port of your computer (DB9) to the clandestine console port inside your cable modem. Then you must use and install a console emulator program to communicate with your cable modem. Finally, you can halt the boot-up process of your cable modem and have it download firmware into RAM from a local TFTP server running on your computer.

 

This tutorial is ideal when hacking the following Surfboard cable modems: SB3100, SB4100, SB4101, and SB4200.

 

Step 1: Download the Software

To get started you need to have the proper software. The easiest way is to use the program EtherBoot which automatically does everything for you, however this software is only available to members of this website. Otherwise, you can use the free version of HyperTerminal (which comes preinstalled in all Windows based operating systems), FIP, the Fireball Boot Server, TFTPD and ELF32, which can be freely downloaded from our software section.

 

Step 2: Prepare the Firmware

The purpose of this step is to take a firmware file (such as one downloaded from here) and convert it into a format that is bootable. If you are going to be using EtherBoot, you can just skip this step because EtherBoot will automatically boot any compatible firmware.

 

Take your firmware image and decompress it using FIP. Then take the decompressed image and convert it into ELF using ELF32.exe. Finally, rename this file to vxWorks.st.

 

Step 3: Gathering the Hardware

You will need the following hardware: A T-10 screwdriver (to open your modem case), a soldering iron, solder (rosin core), and most importantly a RS232 to TTL converter cable. We have a professional cable available for sale in our shop (shown below), however if you want to spend more money building your own, you can do so by following this tutorial.

 

RS232 v2 from TCNISO

 

Step 4: Connect the console cable into your modem

Using a soldering iron, you need to solder the 4 wires of your console cable into the console port of your cable modem. If you had purchased the RS232 v2 board from us, you can just solder the enclosed 4-pin header into the port and connect the pin jumpers from it onto the board.

 

A RS232 to TTL converter has four connections: V (Voltage), G (Ground), R (Receive), and T (Transmit). You need to connect four wires from these connections to the four points shown below. For a larger image, just click on the picture.

 

SB4100 SB4101 SB4200

 

Step 5: Halt the Boot Process

With the console cable connected properly to your cable modem and your Ethernet cable connected directly to the Ethernet port of your cable modem (do not use a router), start your console emulation software. If you are using EtherBoot, all you have to do is go to the Options tab and select which cable modem model you are using and select the firmware file you want to boot. However, if you are instead using HyperTerminal, connect using COM1, with a baud rate of: 9600 bps for SB3100 or 38400 bps for SB4100/SB4200, data bits 8, parity none, stop bits 1, and flow control none.

 

Now plug in the power of your cable modem which should cause the console window of the program you are using to fill up with boot-up information. If you are using EtherBoot, the boot process will automatically be halted. But if your using HyperTerminal, you need to wait until it says "Press any key to stop auto-boot..." and then immediately press any key on your keyboard.

 

At this point, you should have a console prompt that is similar to:  "[SB4200 Boot]:". This also indicates that your console connection to your cable modem is working perfectly.

 

Step 6: Boot Firmware

For users using Etherboot, this step is easy; just press the "Boot From Ethernet" button. However, if you are using HyperTerminal you must start the TFTPD software with your firmware file (vxWorks.st) in the base directory. Now, you must type out the new boot string to tell the cable modem to connect to your TFTP server. To do this, type:

 

2 enetBcm(0,0)admin:vxWorks.st e=192.168.100.1 h=<IP> g=192.168.100.1 u=jmcqueen  pw=rickey7 f=0x8 tn=SB4200

 

Where <IP> is the IP address of your Ethernet card. If everything is successful, the cable modem will connect to your TFTP server and download a copy of firmware into RAM. Note: for the SB3100, you need to type "cs" instead of "enetBcm".

 

Finally...

With the ability to boot firmware into memory you can further hack the modem. One method is to boot a firmware loaded with SIGMA and then use the SIGMA interface to change firmware permanently using a copy of itself. Another method is to use to boot an older DOCSIS 1.0 firmware into memory and then use the software Open Sesame to change firmware.

 

If you are still having problems with this tutorial, just watch the official TCNISO video #1 (showing how to solder a home-made cable into a modem) or TCNISO video #4 (showing how to install the RS232 v2 board) from our Video Section.

 

  

Copyright 2006 TCNiSO Corporation - Managed and Designed by DerEngel - All content used with permission.