jrgutier
Junior Member
 
Posts: 7
Threads: 2
Joined: Aug 2010
Reputation:
0
|
DHCP Option 60 spoof needed
I'm seeing something really weird on Charter, and it's duplicatable. Say I have a good NoBPI MAC address, checked by looking at it's tftp config file and seeing if Privacy Enable is set to 1. I clone the address on my sb5101 and disabling BPI, and then bring it up online with a forced NoBPI config. It begins working after a couple of false starts, but then when I re-download the real tftp file, it has changed to a BPI enabled config.
Somehow, Charter is detecting that I have a BPI enabled modem, regardless of what MAC address I use, and then configuring the tftp file accordingly. What's interesting is I don't know whats going to happen to the real modem I had cloned, because it probably isn't BPI enabled in the first place.
I suspect the modem sends out a DHCP discover that it gives off some indication of its capabilities, specifically option 60, which sends out a string of "docsis#.#" according to the cisco documents I've read. Since Haxorware is based on the SB5101E-2.7.5.0-LTSH firmware, I'm assuming that it still sends a string of "docsis2.0". Haxorware somehow needs to change this option 60 to a "docsis1.0" when BPI is set to disable if this is the case, unless someone knows how to do this manually.
|
|
21-09-2010, 12:11 AM |
|
jrgutier
Junior Member
 
Posts: 7
Threads: 2
Joined: Aug 2010
Reputation:
0
|
RE: DHCP Option 60 spoof needed
Got any DOCSIS 1.0 spoof strings handy? I'm going off http://www.cablelabs.com/cablemodem/down...oducts.pdf and am not sure if this is exactly correct.
Is there anyway to see exactly what info is being passed to the modem to the CMTS?
(21-09-2010, 07:29 AM)drewmerc Wrote: with bpi disabled the modem should only reply with docsis#.#
but the config you are getting could be different based on the spoof you are sending to the ctms
try spoofing a docsis1 modem
|
|
22-09-2010, 10:21 AM |
|
|