Hacking the Cable Modem by DerEngel

Over Christmas 2006 I had the time to read Hacking the Cable Modem by DerEngel. As an insight to readers, I purchased this book for my own education, not a tutorial. The focus I had while reading the text was one of understanding how to approach a production embedded system and gain access to the hardware and software on the lowest level. While this book definitely provides enough information to clone a MAC address or uncap a connection, my interest was one of modifying a system to provide a test platform for future embedded projects.

First let me say that I am thoroughly impressed with both the author and the information content. Hacking the Cable Modem is part textbook and part tutorial, steeped in a plot straight from Hollywood. DerEngel weaves a narrative in the exploration, exploitation and modification of an embedded system with the story of some of the first cable modem hacks in the 90s.

The author immediately captures the readerís attention right in the first chapter. Cutting right to the meat, DerEngel explains common modem hacks and how they developed. As I said, this chapter has a plot right from Hollywood. As the stories of the hacks unfold the reader is taken through the entire exploitation process, the approach to the unit, testing for holes in the security, attempting the break-in and finally gaining access. The first chapter could stand on its own as both an overview in embedded system hacking and a good story for geeks.

The following few chapters in the book are more historical and factual. I have always been interested in the history of technology, learning how things were done before my time. In this group of chapters the author presents common modems and lists vulnerabilities of each. This is a good section to have for those who purely want to hack a modem to reap the benefits therein. Popular modems are listed with a picture and any published hacks; allowing readers to lookup and flip to the section dealing directly with that particular hack. For those who want to know about the cable network itself, a historical evolution of the DOCSYS standard is presented along with a rather detailed history of how cable internet came to be from the existing cable TV infrastructure. The author clearly explains each part of the cable network, and what its function is. Throughout the narrative, points are made of where configuration files are stored and authenticity is checked, a heavy foreshadowing of future chapters. This was presented quite well given the inherently abstruse and complex nature of the networks and hardware.

The next section of the text is designed for those who truly want to understand embedded hardware. This section covers the internal workings of embedded systems and the firmware controlling them. First, key hardware components are described along with functionality of each. More importantly JTAG and serial interfaces left from the development phase are shown along with suggestions on how to locate ones. This is key since an unsecured serial connection is almost an invitation into the system. Should one gain access to an unmodified serial terminal they can run commands and may even be able to modify the executing code. After the hardware overview the author explains cable modem firmware and how the system executes code. The full boot and upgrade process of the Motorola SURFboard SB4200 is explained, including memory address and instructions. This is also key should a modifier need to remove the memory chips and overwrite them with modified firmware. I have to say overall, an excellent overview of low level system execution.

Chapter nine starts the hacking process with an overview of modem security and how to approach a system with the intent to modify the firmware. This chapter also returns to the configuration foreshadowing found in earlier chapters. There are explanations on what to look for in firmware to spoof and copy security values and what parts of the network expect from an un-modified modem.

I found chapter ten to be the most interesting. DerEngel leaves the textbook part and returns to his documentary on how some of the first hacks were done. The story covers the entire hacking procedure, from testing to final result. A detailed account of how a buffer overflow attack was developed for a Motorola SURFboard modem running VxWorks RTOS. It seems to me some key information was intentionally left out, most likely to keep the book educational and not falling into the realm of hacker tutorial.
A note to readers who are looking for a "Hereís how to get free net" tutorial, this chapter is not for you. For those who have and understanding of MIPS assembly, instruction execution, and program flow I feel you will find this chapter captivating to say the least. Be prepared for register and stack dumps combined with an explanation of what you are looking at, fun stuff.

After the author successfully gains access to the firmware, the team developed the SIGMA firmware for the SURFboard, a common firmware upgrade which unlocks more options for the modem than you can shake a stick at. SIGMA "..takes the control from the ISP and gives it to the user.." something that most people want, big brother out of the picture.
DerEngel next dives into hacking frequencies, aka. making a US modem work in Europe. I donít have to elaborate on who this chapter is designed for, however most of the information in the chapter is written directly for the SURFboard modems rather than a general overview of tuner settings.
Chapters 13 covers useful tools to work with embedded systems, more specifically network enabled embedded systems. Network tools like Etherboot and Ethereal are presented and explained. The info in this chapter is used to gather information from modems in chapter 14. These chapters seem a little out of place considering they are squeezed between frequency hacking and the final chapters of the book which cover physical hacking tools; none the less, very informative.

The second half of the book is divided into chapters dealing with specific aspects of breaking into an embedded system. Chapter 15 explains how to build and use a Blackcat Programmer to reprogram Motorola SB5100 modems. Chapter 16 is the first uncapping tutorial published by DerEngel in 2001 and covers standard ARP poisoning and how to send the modem a modified config file. For those lucky enough to have an unsecured serial connection or those with modified firmware to open a serial terminal will find chapter 17 extremely important as it covers building a console cable. Circuits, wiring diagrams and an explanation of how to find and connect the port.
Chapters 18 through 23 is the hacking tutorial part of the book. Major modems such as the SB5100, D-Link DCM-202 and WebStar DPC2100 are covered including what types of hack to perform on each and a decent explanation on how to perform them. This is the section that a person would want to check out if they wanted a tutorial on how to hack a modem. If you are this kind of person I strongly suggest you read the previous chapters of the book to gain a better idea of what it is you are doing and how it all works.

Like any good hacker DerEngel doesnít only talk about how to break systems, but how to secure them. Chapter 24 is the clincher that sets this book on the security shelf rather than the tutorial shelf. The chapter is a cover-your-rear on what can and will get you in trouble, including what will happen should you be caught stealing cable net or messing with the cable company. Remember, with great power comes great responsibility, or in this case great consequences, you decide.

It is this authorís personal opinion that DerEngel focused on the learning gains of the hacks through most from the text. Others have published their opinions of this book on the internet and said that the details of the hacks were fuzzy and things could have been explained better. I say they missed a major focus of the book. Remember hacking is all about learning; it always was and will be. If someone wants a bulleted list of how to get fast net join the script-kiddies groups on IRC.

Overall this was an enjoyable text, as stated previously, itís part textbook, part documentary. Readers should find Hacking the Cable Modem a book they can keep around due to the depth of knowledge as well as a good read for those interested in embedded system attacks. I know this reader passed it to friends and said "Just read the first chapter, damn good story".

If you have read Hacking the Cable Modem swing on over to Geeksinside.com and let us know what you thought of it.

No comment for this article.