SB5101 Running Rev 39 stopped working in SoCal area w/ telnet log.

[skEwb]

The modem always tells any connecting device its just 192.168.100.11. I should note that when BPI+ is enabled the Modem status says "Registration Complete" however when BPI+ Bypbass is on the modem briefly says "Operational" and then it completely freezes out and is not accessible. In the past when it worked it used to say "Operational" and give out a proper IP Address etc. and the internet was working. When using BPI+ it stays on the proper upstream ID channel 2, when switching to BPI+ Bypass it goes to upstream ID channel 1. I know for a fact with a working non modified modem that upstream ID channel 2 is where it needs to be. I'm not sure why when going to BPI+ Bypass the upstream ID channel is switched back to 1. Here are the output logs with BPI+ on and off (the modem mac has been censored with xx:xx:xx:xx:xx:xx):

BPI+ Docsis 1.1:

DHCPc: Sending Request packet; client id htype=1, value=xx:xx:xx:xx:xx:xx
DHCPc: Received an Ack from DHCP server xx:xx:xx:xx:xx:xx (10.253.240.1); lease client id htype=1, value=xx:xx:xx:xx:xx:xx
Current IP address is default 0.0.0.0.
0x0000489e [DHCP Client Thread] BcmEcosIpHalIf::ConfigureLeaseImpl: (IP Stack1 HalIf)
Configuring IP stack 1:
IP Address = 10.253.241.17 (primary IP address)
Subnet Mask = 255.255.240.0
Router = 10.253.240.1
IsPrimaryInterface = 1

Logging event: DHCP WARNING - Non-critical field invalid in response.
ARPing for default GW IP = 10.253.240.1
MAC = xx:xx:xx:xx:xx:xx
DHCP completed successfully!

DHCP Settings:
Client Id = htype=1, value=xx:xx:xx:xx:xx:xx
State = Renewing (5)
Static Lease = 0
AutoConfig Mode = IP, Subnet and Router
XID = 0x7ee405f
Number of Tries = 0
Max Discover Tries = 6
Max Request Tries = 6
DHCP server MAC addr = xx:xx:xx:xx:xx:xx
Ignore NAKs = 0
My offered IP address = 10.253.241.17 (primary IP address)
(1) Subnet Mask = 255.255.240.0
(3) Router IP address = 10.253.240.1
(54) DHCP Server IP address = 76.85.238.62
(82) Relay Agent IP address = 10.253.240.1
TFTP Server IP address = 76.85.237.68
CM Configuration file = '?BExV7j4ADEEJGqgK_fER@Cv3xETIjKfh5eJJNvyrdapkN UghRVX8Q'
(2) UTC Time Offset = 0 seconds
(4) Time Server IP address = 76.85.237.68
(6) Domain Name Server = 66.75.164.89; 66.75.164.90
(7) Log Server IP address =
(51) Lease time = 3462 seconds
(58) T1 (renew) = 1731 seconds
(59) T2 (rebind) = 3029 seconds
Lease is infinite = 0


SB5102 CM Agent w/ BRCM Factory Support IpStackEvent: Ip=10.253.241.17, Subnet=2 55.255.240.0, Gateway=10.253.240.1
CmSnmpAgent::IpAddressAcquiredEvent for SB5102 CM Agent w/ BRCM Factory Suppor t
IP addr = 10.253.241.17
Starting Time Of Day...
0x0000493e [CmDocsisIpThread] BcmDocsisTimeOfDayThread::SetTodServerIpAddress: (Time Of Day Thread) ToD servers: 76.85.237.68
Connecting to ToD server 76.85.237.68...
Sending UDP ToD request to server...
SNMP Agent Binding to 10.253.241.17:225
Not logging event ID 2291949724, control for level 7 is 0.
CM> UTC returned by ToD server 3539351658; UTC offset 0
Current system time -> Mon Feb 27 17:14:18 2012

System start time -> Mon Feb 27 17:13:59 2012

Starting Tftp of configuration file...
Opening file '?BExV7j4ADEEJGqgK_fER@Cv3xETIjKfh5eJJNvyrdapkNUghRVX8Q' on 76.85.2 37.68 for reading...
tftp-enforce bypass is using 76.85.237.68:?BExV7j4ADEEJGqgK_fER@Cv3xETIjKfh5eJJN vyrdapkNUghRVX8Q
Initiating fake TFTP Get (tftp-enforce bypass)
CM> Bypass failed.Error Operation timed out
0x00006252 [DHCP Server Thread] BcmDhcpServerThread::ThreadMain: (DHCP Server T hread) Callback request expired:
timerDuration secs = 20
current time secs = 25
elapsed time secs = 20
0x00006252 [DHCP Server Thread] BcmDhcpServerIf::ElapsedTimeSec: (DHCP ServerIf Instance(1) for IP Stack2) Lease 192.168.100.11 : htype=0, value=00 11 c5 fb 4d c9 has EXPIRED!
CM> 0x000065cc [CmDocsisIpThread] Tftp Client::GetReply: (Tftp Client) Timed ou t on socket select!
0x000065cc [CmDocsisIpThread] Tftp Client::Send: (Tftp Client) Attempt #(1) Bac koff (2) Exp Block #(1) Last Block #(0) Recv'd Block #(0)
tftp-enforce bypass is using 76.85.237.68:?BExV7j4ADEEJGqgK_fER@Cv3xETIjKfh5eJJN vyrdapkNUghRVX8Q
Initiating fake TFTP Get (tftp-enforce bypass)
CM> 0x00006b1c [DHCP Server Thread] BcmDhcpServerThread::ThreadMain: (DHCP Serv er Thread) Callback request expired:
timerDuration secs = 1
current time secs = 27
elapsed time secs = 1
CM> Bypass failed.Error Operation timed out
0x00008264 [CmDocsisIpThread] Tftp Client::GetReply: (Tftp Client) Timed out on socket select!
0x00008264 [CmDocsisIpThread] Tftp Client::Send: (Tftp Client) Attempt #(1) Backoff (2) Exp Block #(4) Last Block #(3) Recv'd Block #(3)
CM> 0x00009204 [CmDocsisIpThread] Tftp Client::GetReply: (Tftp Client) Timed out on socket select!
0x00009204 [CmDocsisIpThread] Tftp Client::Send: (Tftp Client) Attempt #(2) Backoff (4) Exp Block #(4) Last Block #(3) Recv'd Block #(3)
CM> 0x00009632 [DHCP Server Thread] BcmDhcpServerThread::ThreadMain: (DHCP Server Thread) Callback request expired:
timerDuration secs = 1
current time secs = 38
elapsed time secs = 1
CM> 0x0000a9e2 [CmDocsisIpThread] Tftp Client::GetReply: (Tftp Client) Timed out on socket select!
0x0000a9e2 [CmDocsisIpThread] Tftp Client::Send: (Tftp Client) Attempt #(1) Backoff (2) Exp Block #(5) Last Block #(4) Recv'd Block #(4)
CM> 0x0000bdce [CmDocsisIpThread] Tftp Client::GetReply: (Tftp Client) Timed out on socket select!
0x0000bdce [CmDocsisIpThread] Tftp Client::Send: (Tftp Client) Attempt #(1) Backoff (2) Exp Block #(6) Last Block #(5) Recv'd Block #(5)
CM> 0x0000c152 [DHCP Server Thread] BcmDhcpServerThread::ThreadMain: (DHCP Server Thread) Callback request expired:
timerDuration secs = 1
current time secs = 49
elapsed time secs = 1
CM> Storing received cfg of size 3587 to memory
Tftp read < 512 bytes, we have reached end of file.
Tftp transfer complete!
TFTP Settings:
Stack Interface = 1
Server Ip Address = 76.85.237.68
Server Port Number = 36096
Total Blocks Read = 8
Total Bytes Read = 3587

Config file was read! IP Initialization completed...
MAX CPE per CM is being set to 32
TLV-11[1]: 1.3.6.1.2.1.69.1.2.1.2.16 -> 255.255.255.255
TLV-11[2]: 1.3.6.1.2.1.69.1.2.1.3.16 -> 255.255.255.255
TLV-11[3]: 1.3.6.1.2.1.69.1.2.1.4.16 -> Swou9riu
TLV-11[4]: 1.3.6.1.2.1.69.1.2.1.5.16 -> 3 (i32)
TLV-11[5]: 1.3.6.1.2.1.69.1.2.1.6.16 -> HEX:40 00
TLV-11[6]: 1.3.6.1.2.1.69.1.2.1.7.16 -> 4 (i32)
TLV-11[7]: 1.3.6.1.2.1.69.1.2.1.2.18 -> 255.255.255.255
TLV-11[8]: 1.3.6.1.2.1.69.1.2.1.3.18 -> 255.255.255.255
TLV-11[9]: 1.3.6.1.2.1.69.1.2.1.4.18 -> yZaK4E8l
TLV-11[10]: 1.3.6.1.2.1.69.1.2.1.5.18 -> 2 (i32)
TLV-11[11]: 1.3.6.1.2.1.69.1.2.1.6.18 -> HEX:40 00
TLV-11[12]: 1.3.6.1.2.1.69.1.2.1.7.18 -> 4 (i32)
TLV-11[13]: 1.3.6.1.2.1.69.1.2.1.2.20 -> 255.255.255.255
TLV-11[14]: 1.3.6.1.2.1.69.1.2.1.3.20 -> 255.255.255.255
TLV-11[15]: 1.3.6.1.2.1.69.1.2.1.4.20 -> daYDjtCSVIE5hFp
TLV-11[16]: 1.3.6.1.2.1.69.1.2.1.5.20 -> 3 (i32)
TLV-11[17]: 1.3.6.1.2.1.69.1.2.1.6.20 -> HEX:40 00
TLV-11[18]: 1.3.6.1.2.1.69.1.2.1.7.20 -> 4 (i32)
TLV-11[19]: 1.3.6.1.2.1.69.1.6.1.0 -> 1 (i32)
TLV-11[20]: 1.3.6.1.2.1.69.1.6.2.1.2.20 -> 4 (i32)
TLV-11[21]: 1.3.6.1.2.1.69.1.6.2.1.3.20 -> 0 (i32)
TLV-11[22]: 1.3.6.1.2.1.69.1.6.2.1.4.20 -> 1 (i32)
TLV-11[23]: 1.3.6.1.2.1.69.1.6.2.1.5.20 -> 2048 (i32)
TLV-11[24]: 1.3.6.1.2.1.69.1.6.2.1.2.22 -> 4 (i32)
TLV-11[25]: 1.3.6.1.2.1.69.1.6.2.1.3.22 -> 0 (i32)
TLV-11[26]: 1.3.6.1.2.1.69.1.6.2.1.4.22 -> 1 (i32)
TLV-11[27]: 1.3.6.1.2.1.69.1.6.2.1.5.22 -> 2054 (i32)
TLV-11[28]: 1.3.6.1.2.1.69.1.6.3.0 -> 2 (i32)
TLV-11[29]: 1.3.6.1.2.1.69.1.6.4.1.2.80 -> 4 (i32)
TLV-11[30]: 1.3.6.1.2.1.69.1.6.4.1.4.80 -> 1 (i32)
TLV-11[31]: 1.3.6.1.2.1.69.1.6.4.1.5.80 -> 1 (i32)
TLV-11[32]: 1.3.6.1.2.1.69.1.6.4.1.9.80 -> 10.0.0.0
TLV-11[33]: 1.3.6.1.2.1.69.1.6.4.1.10.80 -> 255.0.0.0
TLV-11[34]: 1.3.6.1.2.1.69.1.6.4.1.2.135 -> 4 (i32)
TLV-11[35]: 1.3.6.1.2.1.69.1.6.4.1.4.135 -> 2 (i32)
TLV-11[36]: 1.3.6.1.2.1.69.1.6.4.1.5.135 -> 1 (i32)
TLV-11[37]: 1.3.6.1.2.1.69.1.6.4.1.11.135 -> 6 (i32)
TLV-11[38]: 1.3.6.1.2.1.69.1.6.4.1.14.135 -> 135 (i32)
TLV-11[39]: 1.3.6.1.2.1.69.1.6.4.1.15.135 -> 139 (i32)
TLV-11[40]: 1.3.6.1.2.1.69.1.6.4.1.2.136 -> 4 (i32)
TLV-11[41]: 1.3.6.1.2.1.69.1.6.4.1.4.136 -> 2 (i32)
TLV-11[42]: 1.3.6.1.2.1.69.1.6.4.1.5.136 -> 1 (i32)
TLV-11[43]: 1.3.6.1.2.1.69.1.6.4.1.11.136 -> 17 (i32)
TLV-11[44]: 1.3.6.1.2.1.69.1.6.4.1.14.136 -> 135 (i32)
TLV-11[45]: 1.3.6.1.2.1.69.1.6.4.1.15.136 -> 139 (i32)
TLV-11[46]: 1.3.6.1.2.1.69.1.6.4.1.2.445 -> 4 (i32)
TLV-11[47]: 1.3.6.1.2.1.69.1.6.4.1.4.445 -> 2 (i32)
TLV-11[48]: 1.3.6.1.2.1.69.1.6.4.1.5.445 -> 1 (i32)
TLV-11[49]: 1.3.6.1.2.1.69.1.6.4.1.11.445 -> 6 (i32)
TLV-11[50]: 1.3.6.1.2.1.69.1.6.4.1.14.445 -> 445 (i32)
TLV-11[51]: 1.3.6.1.2.1.69.1.6.4.1.15.445 -> 445 (i32)
TLV-11[52]: 1.3.6.1.2.1.69.1.6.4.1.2.446 -> 4 (i32)
TLV-11[53]: 1.3.6.1.2.1.69.1.6.4.1.4.446 -> 2 (i32)
TLV-11[54]: 1.3.6.1.2.1.69.1.6.4.1.5.446 -> 1 (i32)
TLV-11[55]: 1.3.6.1.2.1.69.1.6.4.1.11.446 -> 17 (i32)
TLV-11[56]: 1.3.6.1.2.1.69.1.6.4.1.14.446 -> 445 (i32)
TLV-11[57]: 1.3.6.1.2.1.69.1.6.4.1.15.446 -> 445 (i32)
TLV-11[58]: 1.3.6.1.2.1.69.1.6.4.1.2.593 -> 4 (i32)
TLV-11[59]: 1.3.6.1.2.1.69.1.6.4.1.4.593 -> 2 (i32)
TLV-11[60]: 1.3.6.1.2.1.69.1.6.4.1.5.593 -> 1 (i32)
TLV-11[61]: 1.3.6.1.2.1.69.1.6.4.1.11.593 -> 6 (i32)
TLV-11[62]: 1.3.6.1.2.1.69.1.6.4.1.14.593 -> 593 (i32)
TLV-11[63]: 1.3.6.1.2.1.69.1.6.4.1.15.593 -> 593 (i32)
TLV-11[64]: 1.3.6.1.2.1.69.1.6.4.1.2.64 -> 4 (i32)
TLV-11[65]: 1.3.6.1.2.1.69.1.6.4.1.4.64 -> 2 (i32)
TLV-11[66]: 1.3.6.1.2.1.69.1.6.4.1.5.64 -> 1 (i32)
TLV-11[67]: 1.3.6.1.2.1.69.1.6.4.1.11.64 -> 17 (i32)
TLV-11[68]: 1.3.6.1.2.1.69.1.6.4.1.12.64 -> 68 (i32)
TLV-11[69]: 1.3.6.1.2.1.69.1.6.4.1.13.64 -> 68 (i32)
TLV-11[70]: 1.3.6.1.2.1.69.1.6.4.1.14.64 -> 67 (i32)
TLV-11[71]: 1.3.6.1.2.1.69.1.6.4.1.15.64 -> 67 (i32)
TLV-11[72]: 1.3.6.1.2.1.69.1.6.4.1.2.66 -> 4 (i32)
TLV-11[73]: 1.3.6.1.2.1.69.1.6.4.1.4.66 -> 1 (i32)
TLV-11[74]: 1.3.6.1.2.1.69.1.6.4.1.5.66 -> 1 (i32)
TLV-11[75]: 1.3.6.1.2.1.69.1.6.4.1.11.66 -> 17 (i32)
TLV-11[76]: 1.3.6.1.2.1.69.1.6.4.1.12.66 -> 67 (i32)
TLV-11[77]: 1.3.6.1.2.1.69.1.6.4.1.13.66 -> 67 (i32)
TLV-11[78]: 1.3.6.1.2.1.69.1.6.4.1.14.66 -> 68 (i32)
TLV-11[79]: 1.3.6.1.2.1.69.1.6.4.1.15.66 -> 68 (i32)
TLV-11[80]: 1.3.6.1.2.1.69.1.6.4.1.2.172 -> 4 (i32)
TLV-11[81]: 1.3.6.1.2.1.69.1.6.4.1.4.172 -> 2 (i32)
TLV-11[82]: 1.3.6.1.2.1.69.1.6.4.1.5.172 -> 2 (i32)
TLV-11[83]: 1.3.6.1.2.1.69.1.6.4.1.9.172 -> 172.16.0.0
TLV-11[84]: 1.3.6.1.2.1.69.1.6.4.1.10.172 -> 255.240.0.0
TLV-11[85]: 1.3.6.1.2.1.69.1.6.4.1.2.681 -> 4 (i32)
TLV-11[86]: 1.3.6.1.2.1.69.1.6.4.1.4.681 -> 0 (i32)
TLV-11[87]: 1.3.6.1.2.1.69.1.6.4.1.5.681 -> 1 (i32)
TLV-11[88]: 1.3.6.1.2.1.69.1.6.4.1.9.681 -> 239.193.253.0
TLV-11[89]: 1.3.6.1.2.1.69.1.6.4.1.10.681 -> 255.255.255.0
TLV-11[90]: 1.3.6.1.2.1.69.1.6.4.1.2.682 -> 4 (i32)
TLV-11[91]: 1.3.6.1.2.1.69.1.6.4.1.4.682 -> 1 (i32)
TLV-11[92]: 1.3.6.1.2.1.69.1.6.4.1.5.682 -> 3 (i32)
TLV-11[93]: 1.3.6.1.2.1.69.1.6.4.1.9.682 -> 10.128.0.0
TLV-11[94]: 1.3.6.1.2.1.69.1.6.4.1.10.682 -> 255.192.0.0
TLV-11[95]: 1.3.6.1.2.1.69.1.6.4.1.2.683 -> 4 (i32)
TLV-11[96]: 1.3.6.1.2.1.69.1.6.4.1.3.683 -> 2 (i32)
TLV-11[97]: 1.3.6.1.2.1.69.1.6.4.1.4.683 -> 1 (i32)
TLV-11[98]: 1.3.6.1.2.1.69.1.6.4.1.5.683 -> 1 (i32)
TLV-11[99]: 1.3.6.1.2.1.69.1.6.4.1.9.683 -> 224.0.0.9
TLV-11[100]: 1.3.6.1.2.1.69.1.6.4.1.10.683 -> 255.255.255.255
TLV-11[101]: 1.3.6.1.2.1.69.1.6.4.1.11.683 -> 17 (i32)
TLV-11[102]: 1.3.6.1.2.1.69.1.6.4.1.2.684 -> 4 (i32)
TLV-11[103]: 1.3.6.1.2.1.69.1.6.4.1.4.684 -> 1 (i32)
TLV-11[104]: 1.3.6.1.2.1.69.1.6.4.1.5.684 -> 1 (i32)
TLV-11[105]: 1.3.6.1.2.1.69.1.6.4.1.9.684 -> 224.0.0.0
TLV-11[106]: 1.3.6.1.2.1.69.1.6.4.1.10.684 -> 240.0.0.0
TLV-11[107]: 1.3.6.1.2.1.69.1.6.4.1.11.684 -> 17 (i32)
Time Of Day completed...
DefaultSnmpAgentClass::SystemTimeChangeEvent for SB5102 CM Agent w/ BRCM Factory Support
SB5102 CM Agent w/ BRCM Factory Support processing TLV-11's
SNMP packet sent to 10.253.241.17:225
107 TLV-11's OK.
Sending a REG-REQ to the CMTS...
Not logging event ID 2291949524, control for level 7 is 0.
Not logging event ID 2291949324, control for level 7 is 0.
Received a REG-RSP message from the CMTS...
0x0000d69c [CmDocsisCtlThread] BcmCmDocsisCtlThread::RegRspMsgEvent: (CmDocsisCtlThread) We registered with a DOCSIS 1.1 config file!
Registration complete!
Process CVC
Co-signer CVC verified
At least one CVC is valid.
DOCSIS CoS/QoS rate shaping enable is now 1
CmSnmpAgent::CmOperationalEvent for SB5102 CM Agent w/ BRCM Factory Support
CmSnmpAgent operating in 1.1 mode, including docsQos, excluding docsBpi
+++ No DH kickstart profiles or snmpCommunityTable entries installed.
We will operate in NMACCESS mode.
SB5102 CM Agent w/ BRCM Factory Support setting V1/V2 view to docsisNmAccessView
SB5102 CM Agent w/ BRCM Factory Support enabling management.
SB5102 CM Agent w/ BRCM Factory Support sending deferred traps...
Done w/ deferred traps.
SB5102 CPE Agent w/ BRCM Factory Support setting V1/V2 view to docsisNmAccessView
0x0000d6ec [CmDocsisCtlThread] BcmCmDocsisCtlThread::TestAndLaunchBpkm: (CmDocsisCtlThread) BPKM enabled. starting BPKM key requests.
SB5102 CM Event Log w/ BRCM Factory Support sending deferred async messages...
Done w/ deferred msgs
Logging event: Auth Reject - Permanent Authorization Failure
CM> 0x0000ec68 [DHCP Server Thread] BcmDhcpServerThread::ThreadMain: (DHCP Server Thread) Callback request expired:
timerDuration secs = 1
current time secs = 60
elapsed time secs = 1
CM> 0x0001177e [DHCP Server Thread] BcmDhcpServerThread::ThreadMain: (DHCP Server Thread) Callback request expired:
timerDuration secs = 1
current time secs = 71
elapsed time secs = 1
CM> 0x0001428a [DHCP Server Thread] BcmDhcpServerThread::ThreadMain: (DHCP Server Thread) Callback request expired:
timerDuration secs = 1
current time secs = 82
elapsed time secs = 1
CM> 0x00016d96 [DHCP Server Thread] BcmDhcpServerThread::ThreadMain: (DHCP Server Thread) Callback request expired:
timerDuration secs = 1
current time secs = 93
elapsed time secs = 1
CM>

With BPI+ Bypass:

ime Of Day completed...
DefaultSnmpAgentClass::SystemTimeChangeEvent for SB5102 CM Agent w/ BRCM Facto ry Support
Not logging event ID 2291949324, control for level 7 is 0.
CM>
CM> SB5102 CM Agent w/ BRCM Factory Support processing TLV-11's
SNMP packet sent to 10.253.241.17:225
107 TLV-11's OK.
Sending a REG-REQ to the CMTS...
Received a REG-RSP message from the CMTS...

MAC MGT msg buf, len=369
00 0c 41 09 1a a8 00 01 5c 32 2f 90 01 63 00 00 | ..A.....\2/..c..
03 01 07 00 04 2d 00 05 2d 01 01 01 02 01 02 03 | .....-..-.......
01 01 04 01 01 06 01 01 07 01 0f 08 01 10 0a 01 | ................
01 0b 01 18 0c 01 01 0f 01 01 10 04 00 00 00 01 | ................
11 01 01 13 01 01 08 03 00 01 5c 18 50 06 01 07 | ..........\.P...
01 02 00 01 02 04 00 00 05 63 03 02 04 2d 04 0b | .........c...-..
75 73 5f 68 73 64 5f 72 65 73 00 08 04 00 1f 40 | us_hsd_res.....@
00 0d 02 00 c8 0a 04 00 00 00 00 09 04 00 00 0b | ................
e4 07 01 00 0b 02 00 00 0c 02 00 00 0e 02 0b e4 | ................
17 02 00 00 0f 01 02 10 04 00 00 00 00 18 28 06 | ..............(.
01 07 01 02 00 03 02 04 00 00 05 65 03 02 04 2e | ...........e....
08 04 00 03 e8 00 09 04 00 00 0b e4 0e 02 0b e4 | ................
17 02 00 00 0f 01 02 19 41 06 01 07 01 02 00 05 | ........A.......
02 04 00 00 05 64 04 0b 64 73 5f 68 73 64 5f 72 | .....d..ds_hsd_r
65 73 00 08 04 00 ea 60 00 0d 02 00 c8 0a 04 00 | es.....`........
00 00 00 09 04 00 98 96 80 07 01 00 0b 02 00 00 | ................
0c 02 00 00 0e 04 00 00 00 00 19 19 06 01 07 01 | ................
02 00 07 02 04 00 00 05 66 08 04 00 03 e8 00 09 | ........f.......
04 00 00 0b e4 16 21 04 04 00 00 05 65 02 02 00 | ......!.....e...
01 01 01 06 03 02 00 03 0a 08 02 06 00 0c 41 09 | ..............A.
1a a8 05 01 01 06 01 01 17 27 04 04 00 00 05 66 | .........'.....f
02 02 00 01 01 01 16 03 02 00 07 0a 0e 01 0c 00 | ................
0c 41 09 1a a8 ff ff ff ff ff ff 05 01 01 06 01 | .A..............
01 | .



MAC MGT header:
dest addr: xx:xx:xx:xx:xx:xx
src addr: xx:xx:xx:xx:xx:xx
msg len: 0x163 (355)
DSAP: 0
SSAP: 0
control: 0x3
version: 0x1
msg_type: 0x7 REG_RSP
fka reserved: 0

MSG PDU:
primary sid: 0x42d
response code: 0 (kConfOk)


CM modem capabilities: T=0x05 (005) L=0x2d (045) V=
concat support: T=0x01 (001) L=0x01 (001) V=0x01 (1)
DOCSIS version: T=0x02 (002) L=0x01 (001) V=0x02 (2)
frag support: T=0x03 (003) L=0x01 (001) V=0x01 (1)
PHS support: T=0x04 (004) L=0x01 (001) V=0x01 (1)
BPI version: T=0x06 (006) L=0x01 (001) V=0x01 (1)
num DS SAID's: T=0x07 (007) L=0x01 (001) V=0x0f (15)
num US Sid's: T=0x08 (008) L=0x01 (001) V=0x10 (16)
TxEq Taps per Symbol: T=0x0a (010) L=0x01 (001) V=0x01 (1)
num TxEq Taps: T=0x0b (011) L=0x01 (001) V=0x18 (24)
DCC support: T=0x0c (012) L=0x01 (001) V=0x01 (1)
Unknown type. Ignore!: T=0x0f (015) L=0x01 (001) V=01 | .
Unknown type. Ignore!: T=0x10 (016) L=0x04 (004) V=00 00 00 01 | ....
L2VPN capability: T=0x11 (017) L=0x01 (001) V=0x01 (1)
DUT filtering support: T=0x13 (019) L=0x01 (001) V=0x01 (1)
Unknown type. Ignore!: T=0x08 (008) L=0x03 (003) V=00 01 5c | ..\

v1.1 US flow sets: T=0x18 (024) L=0x50 (080) V=
QoS param set type: T=0x06 (006) L=0x01 (001) V=0x07 (7)
CM flow ref: T=0x01 (001) L=0x02 (002) V=0x0001 (1)
sfid: T=0x02 (002) L=0x04 (004) V=0x00000563 (1379)
sid: T=0x03 (003) L=0x02 (002) V=0x042d (1069)
service class name: T=0x04 (004) L=0x0b (011) V='us_hsd_res'
75 73 5f 68 73 64 5f 72 65 73 00 | us_hsd_res.
max tx rate, bps: T=0x08 (008) L=0x04 (004) V=0x001f4000 (2048000)
inactivity Admit, sec: T=0x0d (013) L=0x02 (002) V=0x00c8 (200)
res tx rate, bits/sec: T=0x0a (010) L=0x04 (004) V=0x00000000 (0)
max burst, MAC bytes: T=0x09 (009) L=0x04 (004) V=0x00000be4 (3044)
traffic priority: T=0x07 (007) L=0x01 (001) V=0x00 (0)
res rate pkt size: T=0x0b (011) L=0x02 (002) V=0x0000 (0)
inactivity Active,sec: T=0x0c (012) L=0x02 (002) V=0x0000 (0)
max concat burst, byt: T=0x0e (014) L=0x02 (002) V=0x0be4 (3044)
IP ToS overwrite: T=0x17 (023) L=0x02 (002) V=00 00 | ..
us bw sched strategy: T=0x0f (015) L=0x01 (001) V=0x02 (2)
CM us req/tx options: T=0x10 (016) L=0x04 (004) V=0x00000000 (0)


v1.1 US flow sets: T=0x18 (024) L=0x28 (040) V=
QoS param set type: T=0x06 (006) L=0x01 (001) V=0x07 (7)
CM flow ref: T=0x01 (001) L=0x02 (002) V=0x0003 (3)
sfid: T=0x02 (002) L=0x04 (004) V=0x00000565 (1381)
sid: T=0x03 (003) L=0x02 (002) V=0x042e (1070)
max tx rate, bps: T=0x08 (008) L=0x04 (004) V=0x0003e800 (256000)
max burst, MAC bytes: T=0x09 (009) L=0x04 (004) V=0x00000be4 (3044)
max concat burst, byt: T=0x0e (014) L=0x02 (002) V=0x0be4 (3044)
IP ToS overwrite: T=0x17 (023) L=0x02 (002) V=00 00 | ..
us bw sched strategy: T=0x0f (015) L=0x01 (001) V=0x02 (2)


v1.1 DS flow sets: T=0x19 (025) L=0x41 (065) V=
QoS param set type: T=0x06 (006) L=0x01 (001) V=0x07 (7)
CM flow ref: T=0x01 (001) L=0x02 (002) V=0x0005 (5)
sfid: T=0x02 (002) L=0x04 (004) V=0x00000564 (1380)
service class name: T=0x04 (004) L=0x0b (011) V='ds_hsd_res'
64 73 5f 68 73 64 5f 72 65 73 00 | ds_hsd_res.
max tx rate, bps: T=0x08 (008) L=0x04 (004) V=0x00ea6000 (15360000)
inactivity Admit, sec: T=0x0d (013) L=0x02 (002) V=0x00c8 (200)
res tx rate, bits/sec: T=0x0a (010) L=0x04 (004) V=0x00000000 (0)
max burst, MAC bytes: T=0x09 (009) L=0x04 (004) V=0x00989680 (10000000)
traffic priority: T=0x07 (007) L=0x01 (001) V=0x00 (0)
res rate pkt size: T=0x0b (011) L=0x02 (002) V=0x0000 (0)
inactivity Active,sec: T=0x0c (012) L=0x02 (002) V=0x0000 (0)
max ds latency, usec: T=0x0e (014) L=0x04 (004) V=0x00000000 (0)


v1.1 DS flow sets: T=0x19 (025) L=0x19 (025) V=
QoS param set type: T=0x06 (006) L=0x01 (001) V=0x07 (7)
CM flow ref: T=0x01 (001) L=0x02 (002) V=0x0007 (7)
sfid: T=0x02 (002) L=0x04 (004) V=0x00000566 (1382)
max tx rate, bps: T=0x08 (008) L=0x04 (004) V=0x0003e800 (256000)
max burst, MAC bytes: T=0x00 (000) L=0x00 (000) V=0x00000xx0 (3044)


v1.1 US classifier: T=0x16 (022) L=0x21 (033) V=
CMTS flow id: T=0x04 (004) L=0x04 (004) V=0x00000565 (1381)
CMTS classifier id: T=0x02 (002) L=0x02 (002) V=0x0001 (1)
CM classifier ref: T=0x01 (001) L=0x01 (001) V=0x06 (6)
CM flow reference: T=0x03 (003) L=0x02 (002) V=0x0003 (3)

Ethernet classifier: T=0x0a (010) L=0x08 (008) V=
source MAC address: T=0x00 (000) L=0x00 (000) V=xx:xx:xx:xx:xx:xx
Rule priority: T=0x05 (005) L=0x01 (001) V=0x01 (1)
Activation state: T=0x06 (006) L=0x01 (001) V=0x01 (1)

v1.1 DS classifier: T=0x17 (023) L=0x27 (039) V=
CMTS flow id: T=0x04 (004) L=0x04 (004) V=0x00000566 (1382)
CMTS classifier id: T=0x02 (002) L=0x02 (002) V=0x0001 (1)
CM classifier ref: T=0x01 (001) L=0x01 (001) V=0x16 (22)
CM flow reference: T=0x03 (003) L=0x02 (002) V=0x0007 (7)

Ethernet classifier: T=0x0a (010) L=0x0e (014) V=
dest MAC addr & mask: T=0x01 (001) L=0x0c (012) V=
xx xx xx xx xx xx ff ff ff ff ff ff | ..A.........
Rule priority: T=0x05 (005) L=0x01 (001) V=0x01 (1)
Activation state: T=0x06 (006) L=0x01 (001) V=0x01 (1)
0x000062de [CmDocsisCtlThread] BcmCmDocsisCtlThread:arseAndValidateRegRspMsg: (CmDocsisCtlThread) ERROR - REG-RSP parse error. continuing.
0x000062de [CmDocsisCtlThread] BcmCmDocsisCtlThread::RegRspMsgEvent: (CmDocsisCtlThread) We registered with a DOCSIS 1.1 config file!
Registration complete!
Process CVC
Co-signer CVC verified
At least one CVC is valid.
DOCSIS CoS/QoS rate shaping enable is now 1
CmSnmpAgent::CmOperationalEvent for SB5102 CM Agent w/ BRCM Factory Support
CmSnmpAgent operating in 1.1 mode, including docsQos, excluding docsBpi
+++ No DH kickstart profiles or snmpCommunityTable entries installed.
We will operate in NMACCESS mode.
SB5102 CM Agent w/ BRCM Factory Support setting V1/V2 view to docsisNmAccessView
SB5102 CM Agent w/ BRCM Factory Support enabling management.
SB5102 CM Agent w/ BRCM Factory Support sending deferred traps...
Done w/ deferred traps.
SB5102 CPE Agent w/ BRCM Factory Support setting V1/V2 view to docsisNmAccessView
BPI+ Bypass enabled
Enabling network access for all CPE ports.

mot_scanList: Writing to Flash!
BcmCmDocsisStatusEventCodes::kCmIsOperational
Suspending SNMP Thread
0x0000637e [CmDocsisCtlThread] BcmVendorCmApplication::StopDhcpServer: (VendorExtension CmApp) Shutting down DHCP Server...
0x00006388 [CmDocsisCtlThread] BcmStandbySwitchThread::CmIsOperational: (Motorola Standby Switch Thread) Simulating a press of the standby switch to get the state configured properly.
0x00006392 [IGMP Thread] BcmIgmpThread::Starting Igmp Thread...: (IGMP Thread)
0x00006392 [Motorola Standby Switch Thread] BcmStandbySwitchThread::ThreadMain: (Motorola Standby Switch Thread) Standby switch was pressed!
0x00006392 [Motorola Standby Switch Thread] BcmStandbySwitchThread:rocessSwitchEvent: (Motorola Standby Switch Thread) Standby switch disabled in nonvol; ignoring event.
Logging event: REG-RSP - invalid format or not recognized
SB5102 CM Event Log w/ BRCM Factory Support sending deferred async messages...
Done w/ deferred msgs
Not logging event ID 2296948624, control for level 7 is 0.
CM> 0x00006ab8 [DHCP Server Thread] BcmDhcpServerThread::ThreadMain: (DHCP Server Thread) Callback request expired:
timerDuration secs = 20
current time secs = 27
elapsed time secs = 20
0x00006ac2 [DHCP Server Thread] BcmDhcpServerIf::ElapsedTimeSec: (DHCP ServerIf Instance(1) for IP Stack2) Lease 192.168.100.11 : htype=0, value=xx xx xx xx xx xx has EXPIRED!
CM>

[ABMJR]

(CmDocsisCtlThread) BPKM enabled. starting BPKM key requests.

Not submitting the BPKM key. Unless you know TELNET and a trick, I would say your done...as your failing a key item here...

Its very simple but the answer is finding it.

DOCSIS Baseline Privacy (BPI) provides data privacy across the hybrid fiber-coaxial (HFC) network by encrypting traffic flows between the modem and the cable operator's Cable Modem Termination System (CMTS).

BPI security services are a set of extended services within the DOCSIS MAC sublayer. Two new MAC management message types, BPKM-REQ and BPKM-RSP, are employed to support the Baseline Privacy Key Management (BPKM) protocol.

The BPKM protocol does not use authentication mechanisms such as passwords or digital signatures; it provides basic protection of service by ensuring that a modem, uniquely identified by its 48-bit IEEE MAC address, can only obtain keying material for services it is authorized to access.

The Cisco uBR924 cable modem is able to obtain two types of keys from the CMTS:

Traffic Exchange Key (TEK), used to encrypt and decrypt data packets

Key Exchange Key (KEK), used to decrypt the TEK


Good Luck M8!!

[skEwb]

(CmDocsisCtlThread) BPKM enabled. starting BPKM key requests.

Not submitting the BPKM key. Unless you know TELNET and a trick, I would say your done...as your failing a key item here...

Its very simple but the answer is finding it.

DOCSIS Baseline Privacy (BPI) provides data privacy across the hybrid fiber-coaxial (HFC) network by encrypting traffic flows between the modem and the cable operator's Cable Modem Termination System (CMTS).

BPI security services are a set of extended services within the DOCSIS MAC sublayer. Two new MAC management message types, BPKM-REQ and BPKM-RSP, are employed to support the Baseline Privacy Key Management (BPKM) protocol.

The BPKM protocol does not use authentication mechanisms such as passwords or digital signatures; it provides basic protection of service by ensuring that a modem, uniquely identified by its 48-bit IEEE MAC address, can only obtain keying material for services it is authorized to access.

The Cisco uBR924 cable modem is able to obtain two types of keys from the CMTS:

Traffic Exchange Key (TEK), used to encrypt and decrypt data packets

Key Exchange Key (KEK), used to decrypt the TEK


Good Luck M8!!

Isn't the BPKM key automatically generated based on the MAC address? Are you telling me I have the wrong key because the MAC is generating a key that has no access?

I searched the forum and only noticed one other mention of the telnet fix, but nobody gives away any details as to what kinda fix or how to do it. Seems like private info at the moment..

If you have anything else as far as tips, please go ahead!

[skEwb]

I flashed the LITE version of Haxorware and now in the GUI and log it shows "Operational" for like 5 seconds. Then the modem loses IP Address and does not respond anymore. The telnet session to the modem automatically ends/disconnects and the last thing seen is this:

BPI+ Bypass enabled
Enabling network access for all CPE ports.

mot_scanList: Writing to Flash!
BcmCmDocsisStatusEventCodes::kCmIsOperational

I don't know what's causing the modem to lock up and not respond after posting that it's Operational.

[ABMJR]

Lite is what I would of used..You lose some features, but the Diag/Full version is detectable..

Operational means just that. Your in a no public IP area. A dead End , Dead IP that goes no where...

[ABMJR]

BTW, read and Learn.

Such an easy solution to fix...

If only you just read, you would know..

P.S

Dont PM me asking where to read. I told you. Read. Its all here.

[skEwb]

BTW, read and Learn.

Such an easy solution to fix...

If only you just read, you would know..

P.S

Dont PM me asking where to read. I told you. Read. Its all here.

The only two other things I can think of are getting a list of all telnet commands and trying things. The other is the factory mode boot menu, I don't know if that is useful at all in this case. Other than that, thanks for letting me know there is a fix I have to find. I'm doing some reading and testing with commands from this thread: http://www.haxorware.com/forums/thread-1...ml#pid8594

[southernyankey1970]

Factory mode will not help you. you are in the beginning stages of d3...Once it is complete that 39 diag wont do shit but range forever..Use 39 lite or an older version and change your nic mac for starters...Forget the mythical, magical 4 line telnet fix as it was on the chopping block as soon as Jr mentioned it...lol. there are still many ways to test in new hardcore security. Put those certs on a stock Moto dump and see if it works that way with a fresh nic mac...

[skEwb]

I guess if it helps anyone else. I found helpful information I'll post here. Hopefully it's all good to go:

When the ISP has enabled BPI + requires the CMTS to verify that the CM has in addition to the MAC, the licenses for the MAC. Certificates used in the CM are the type X509 , and what they do is to get a chain of trust to the root certificate of keys and certificates that can be found in a CM, which are important to identify the CM to the CMTS.

These are:

Private RSA (Private RSA key pair) Each Cm has its own RSA key pair.
Public RSA (Public part of the pair) Cm Each has its own RSA key pair.
Root_cert (trusted root certificate) changes if the CM DOCSIS or EuroDOCSIS is for.
Ca_cert (Certificate certifying authority)
Cm_cert (Certificate of CM) Changes for each Cm.

In addition to this information I was going to post links to FastCert and BuzzCert since they seem to by awfully hard to come by for anyone that is interested. Only if this is allowed.

---

Factory mode will not help you. you are in the beginning stages of d3...Once it is complete that 39 diag wont do shit but range forever..Use 39 lite or an older version and change your nic mac for starters...Forget the mythical, magical 4 line telnet fix as it was on the chopping block as soon as Jr mentioned it...lol. there are still many ways to test in new hardcore security.

Hey thanks for pointing me in the right direction! I did flash the Lite 39 and it didn't help much really. I'm looking for an archive of older versions that I can try out. I suppose if FastCert/BuzzCert dont work, I can pull certs from my CISCO DPC2100R2 then I can have the 5101 working as well I suppose. As far as the NIC mac goes, the tomato router firmware has a randomize MAC feature which I use, but if I'm connected directly to the modem I can change it in device settings as well.

BTW I'm searching and researching here and other forums as well. Not trying to waste anyone's time! I posted telnet logs and everything, I don't want anyone frustrated, just here to work things out.

[ABMJR]

I can almost bet, you never ever spoofed the 1st CPE device's MAC address AFTER?

Whether you used Lite or Diag, you still had the same HFC MAC. Just a new "shell" running..

The CMTS still see's you. You did nothing to change that.

Sigh...