Secret MIB's & Secret way to upgrade cable modem via BITFILE

The following text was compiled by

Dshocker (of TCNISO)

Look down at the bottom you will see secret MIB's for the modems.

Like getting and setting your modem cert... Dshocker

Well here it is everything you will need for you're modem

You can upgrade modem firmware do what ever, Read the Read me.

Under this text because if you don't I will not help you.

Hope you have fun

Dshocker

PS: for each modem if you wanna use it on Sb5100.

You name the bitfile SB5100.bit SB4100, SB4100.bit, SBG900,

SBG900.bit etc...

Officially Released by Dshocker

18a. Factory Mode

Before I talk about bit files I should explain what factory mode is:

Factory mode, when enabled, gives you access via SNMP to the factory MIB.

The factory MIB is a list of OID's, each OID having a unique function.

Here is a very small list of things you can do remote via SNMP when in, factory mode,

" get/set the HFC, Ethernet and USB MAC addresses.

" get/set the modem serial number.

" get/set the modem cert.'s (cm, vendor, and secure code).

" ping IP address'.

" execute shell commands

" execute injected code (see cmFactoryBCMGroup 'CommandType, AddressOrOpcode, ByteCount and Data')

18b. Bit Files

The bit file method works on firmware 0.4.5.0 and up on SB3100, SB4100, SB4101

And, SB4200.

And on any SB5100, SB5101 and SBG900.

The bitfile method works like this.

1) Using SNMP you set the OID 1.3.6.1.4.1.1166.1.19.3.1.18.0 to the interger.

The value of your HFC MAC address. (Calc.exe)

2) The modem then TFTP gets a 'bitfile' from 192.168.100.10

4100 modem will TFTP get SB4100.bit, and 4200 modem will TFTP get SB4200.bit

3) If the bit file is the correct size and contains the exact sequence of, bytes, then factory mode is enabled and the modem reboots!

4) When the modem reboots you have full access to all the factory MIB and OID's, within it.

NOTE: Factory mode will stay enabled until you turn it off by setting

1.3.6.1.4.1.1166.1.19.4.29.0 to integer 1 and reboot the modem!

Sorry no source code for you :P - a compiled bitfile is in the rar.

18c. Enable Factory MIB

This tutorial will show you how to enable the factory MIB on a modem and change the

MAC and serial, via SNMP

1) Put the .bit file into your TFTP server's directory.

2) Use SNMP to set the OID 1.3.6.1.4.1.1166.1.19.3.1.18.0 to the decimal of your HFC MAC address

Example: snmpset -v2c -c public 192.168.100.1 1.3.6.1.4.1.1166.1.19.3.1.18.0 i

12345678

The modem will now get the bit file and if it's correct it will enable factory mode and reboot!

Once the modem is rebooted....

3) You can now set the OID 1.3.6.1.4.1.1166.1.19.4.3.0 to your NEW ETHERNET MAC address

Example: snmpset -v2c -c public 192.168.100.1 1.3.6.1.4.1.1166.1.19.4.3.0 s

"12:34:56:78:9a:00"

4) You can now set the OID 1.3.6.1.4.1.1166.1.19.4.4.0 to your NEW HFC MAC address.

Example: snmpset -v2c -c public 192.168.100.1 1.3.6.1.4.1.1166.1.19.4.4.0 s

"12:34:56:78:9a:0a"

5) You can now set the OID 1.3.6.1.4.1.1166.1.19.4.6.0 to your NEW SERIAL NUMBER.

Example: snmpset -v2c -c public 192.168.100.1 1.3.6.1.4.1.1166.1.19.4.6.0 s

"12345678901234567890"

6) To finish up disable the factory MIB by setting the OID

1.3.6.1.4.1.1166.1.19.4.29.0 to int 1

Example: snmpset -v2c -c public 192.168.100.1 1.3.6.1.4.1.1166.1.19.4.29.0 i

Now reboot your modem and all is done.

18d. Factory mode OID list for Motorola cable modems

AKA FACTORY MIB's for Factory mode

This list is generic among Motorola cable modems

SB3100, SB4100, SB4101, SB4200, SB4220, SB5100, SB5101, SBG900 and probably more, HOWEVER some OID's will not exist on some modems, E.g. (cmFactoryBCMGroup oid's)

To execute code, only exist in SB5100, SB5101 and SBG900)

cmPrivateArpFilterGroup

1.3.6.1.4.1.1166.1.19.2

1.3.6.1.4.1.1166.1.19.2.1.0 cmArpFilterEnabled

1.3.6.1.4.1.1166.1.19.2.2.0 cmArpFilterInterval

1.3.6.1.4.1.1166.1.19.2.3.0 cmArpFilterLimit

1.3.6.1.4.1.1166.1.19.2.4.0 cmArpFilterInArps

1.3.6.1.4.1.1166.1.19.2.5.0 cmArpFilterOutArps

1.3.6.1.4.1.1166.1.19.2.6.0 cmArpFilterInArpsThisFilter

cmConfigPrivateBaseGroup

1.3.6.1.4.1.1166.1.19.3

cmConfigFreqObjectsGroup

1.3.6.1.4.1.1166.1.19.3.1

1.3.6.1.4.1.1166.1.19.3.1.1.0 cmConfigFreq1

1.3.6.1.4.1.1166.1.19.3.1.2.0 cmConfigFreq2

1.3.6.1.4.1.1166.1.19.3.1.3.0 cmConfigFreq3

1.3.6.1.4.1.1166.1.19.3.1.8.0 cmFreqPlanType

1.3.6.1.4.1.1166.1.19.3.1.11.0 cmUpstreamChannelId1

1.3.6.1.4.1.1166.1.19.3.1.12.0 cmCarrierFrequencyOffset

1.3.6.1.4.1.1166.1.19.3.1.14.0 cmSnmpHFCPort

1.3.6.1.4.1.1166.1.19.3.1.15.0 cmSnmpHFCTrapPort

1.3.6.1.4.1.1166.1.19.3.1.17.0 cmSnmpDisplayHtml

1.3.6.1.4.1.1166.1.19.3.1.18.0 cmResetToDefaults

1.3.6.1.4.1.1166.1.19.3.1.19.0 cmStandbyMode

1.3.6.1.4.1.1166.1.19.3.1.20.0 cmHybridMode

1.3.6.1.4.1.1166.1.19.3.1.21.0 cmUpstreamChannelId3

1.3.6.1.4.1.1166.1.19.3.1.22.0 cmUpstreamPower1

1.3.6.1.4.1.1166.1.19.3.1.23.0 cmUpstreamPower2

1.3.6.1.4.1.1166.1.19.3.1.24.0 cmUpstreamPower3

1.3.6.1.4.1.1166.1.19.3.1.25.0 cmDocsis20Capable

1.3.6.1.4.1.1166.1.19.3.1.26.0 cmUpstreamChannelId2

cmPrivateFactoryGroup

1.3.6.1.4.1.1166.1.19.4

1.3.6.1.4.1.1166.1.19.4.1.0 cmFactoryVersion

1.3.6.1.4.1.1166.1.19.4.2.0 cmFactoryDbgBootEnable

1.3.6.1.4.1.1166.1.19.4.3.0 cmFactoryEnetMacAddr

1.3.6.1.4.1.1166.1.19.4.4.0 cmFactoryHfcMacAddr

1.3.6.1.4.1.1166.1.19.4.6.0 cmFactorySerialNumber

1.3.6.1.4.1.1166.1.19.4.9.0 cmFactoryClearFreq1

1.3.6.1.4.1.1166.1.19.4.10.0 cmFactoryClearFreq2

1.3.6.1.4.1.1166.1.19.4.11.0 cmFactoryClearFreq3

1.3.6.1.4.1.1166.1.19.4.12.0 cmFactorySetReset

1.3.6.1.4.1.1166.1.19.4.13.0 cmFactoryClrConfigAndLog

1.3.6.1.4.1.1166.1.19.4.14.0 cmFactoryPingIpAddr

1.3.6.1.4.1.1166.1.19.4.15.0 cmFactoryPingNumPkts

1.3.6.1.4.1.1166.1.19.4.16.0 cmFactoryPingNow

1.3.6.1.4.1.1166.1.19.4.17.0 cmFactoryPingCount

1.3.6.1.4.1.1166.1.19.4.28.0 cmFactoryCliFlag

1.3.6.1.4.1.1166.1.19.4.29.0 cmFactoryDisableMib

1.3.6.1.4.1.1166.1.19.4.30.0 cmFactoryUpstreamPowerCalibration1

1.3.6.1.4.1.1166.1.19.4.50.0 cmFactoryBigRSAPublicKey

1.3.6.1.4.1.1166.1.19.4.51.0 cmFactoryBigRSAPrivateKey

1.3.6.1.4.1.1166.1.19.4.52.0 cmFactoryCMCertificate

1.3.6.1.4.1.1166.1.19.4.53.0 cmFactoryManCertificate

1.3.6.1.4.1.1166.1.19.4.54.0 cmFactoryRootPublicKey

1.3.6.1.4.1.1166.1.19.4.55.0 cmFactoryCodeSigningTime

1.3.6.1.4.1.1166.1.19.4.56.0 cmFactoryCVCValidityStartTime

1.3.6.1.4.1.1166.1.19.4.58.0 cmFactoryCMManufacturerName

1.3.6.1.4.1.1166.1.19.4.59.0 cmFactoryHtmlReadOnly

1.3.6.1.4.1.1166.1.19.4.60.0 cmFactoryCmUsbMacAddr

1.3.6.1.4.1.1166.1.19.4.61.0 cmFactoryCpeUsbMacAddr

1.3.6.1.4.1.1166.1.19.4.62.0 cmFactoryCmAuxMacAddr

1.3.6.1.4.1.1166.1.19.4.63.0 cmFactoryTunerId

1.3.6.1.4.1.1166.1.19.4.64.0 cmFactoryHwRevision

1.3.6.1.4.1.1166.1.19.4.65.0 cmFactoryUsAmpId

1.3.6.1.4.1.1166.1.19.4.66.0 cmFactory80211RegDomain

1.3.6.1.4.1.1166.1.19.4.67.0 cmFactoryResidentialGatewayEnable

1.3.6.1.4.1.1166.1.19.4.70.0 cmFactoryFWFeatureID

1.3.6.1.4.1.1166.1.19.4.90.0 cmFactorySwServer

1.3.6.1.4.1.1166.1.19.4.91.0 cmFactorySwFilename

1.3.6.1.4.1.1166.1.19.4.92.0 cmFactorySwDownloadNow

1.3.6.1.4.1.1166.1.19.4.93.0 cmFactoryGwAppPublicKey

1.3.6.1.4.1.1166.1.19.4.94.0 cmFactoryGwAppPrivateKey

1.3.6.1.4.1.1166.1.19.4.95.0 cmFactoryGwAppRootPublicKey

1.3.6.1.4.1.1166.1.19.4.31 cmFactoryDownstreamCalibrationGroup

1.3.6.1.4.1.1166.1.19.4.31.1.0 cmFactorySuspendStartup

1.3.6.1.4.1.1166.1.19.4.31.2.0 cmFactoryDownstreamFrequency

1.3.6.1.4.1.1166.1.19.4.31.3.0 cmFactoryDownstreamAcquire

1.3.6.1.4.1.1166.1.19.4.31.4.0 cmFactoryTunerAGC

1.3.6.1.4.1.1166.1.19.4.31.5.0 cmFactoryIfAGC

1.3.6.1.4.1.1166.1.19.4.31.6.0 cmFactoryQamLock

1.3.6.1.4.1.1166.1.19.4.31.7.0 cmFactoryDownstreamCalibrationTableMaxSum

1.3.6.1.4.1.1166.1.19.4.31.8.0 cmFactoryDownstreamCalibrationTableMinSum

1.3.6.1.4.1.1166.1.19.4.31.9.0 cmFactoryTop

1.3.6.1.4.1.1166.1.19.4.31.10.0 cmFactoryDownstreamCalibrationOffset

1.3.6.1.4.1.1166.1.19.4.31.100 cmFactoryCalibrationEntry

1.3.6.1.4.1.1166.1.19.4.31.100.1.1 cmFrequencyCalibrationIndex

1.3.6.1.4.1.1166.1.19.4.31.100.1.2 cmFactoryCalibrationFrequencyData

cmFactoryBCMGroup

1.3.6.1.4.1.1166.1.19.4.32

1.3.6.1.4.1.1166.1.19.4.32.1.0 cmFactoryBCMCommandType

1.3.6.1.4.1.1166.1.19.4.32.2.0 cmFactoryBCMAddressOrOpcode

1.3.6.1.4.1.1166.1.19.4.32.3.0 cmFactoryBCMByteCount

1.3.6.1.4.1.1166.1.19.4.32.4.0 cmFactoryBCMData

cmRegPrivateGroup

1.3.6.1.4.1.1166.1.19.5

cmStatsGroup

1.3.6.1.4.1.1166.1.19.9

cmStatsObjectsGroup

1.3.6.1.4.1.1166.1.19.9.1

1.3.6.1.4.1.1166.1.19.9.1.5.0 cmResetIfCmStatusCounters

1.3.6.1.4.1.1166.1.19.9.1.6.0 cmResetCMSignalQualityCounters

1.3.6.1.4.1.1166.1.19.9.1.7.0 cmQam256PowerFactorTableVersion

cmTftpConfigPrivateGroup

1.3.6.1.4.1.1166.1.19.6

1.3.6.1.4.1.1166.1.19.6.1

1.3.6.1.4.1.1166.1.19.6.1.1.1 cmCfgClassId

1.3.6.1.4.1.1166.1.19.6.1.1.2 cmCfgMaxDsRate

1.3.6.1.4.1.1166.1.19.6.1.1.3 cmCfgMaxUsRate

1.3.6.1.4.1.1166.1.19.6.1.1.4 cmCfgUsChannelPriority

1.3.6.1.4.1.1166.1.19.6.1.1.5 cmCfgMinUsDataRate

1.3.6.1.4.1.1166.1.19.6.1.1.6 cmCfgMaxUsChannelXmitBurst

1.3.6.1.4.1.1166.1.19.6.1.1.7 cmCfgCovPrivacyEnable

cmCfgBpiTimeOutGroup

1.3.6.1.4.1.1166.1.19.6.2

1.3.6.1.4.1.1166.1.19.6.2.1.0 cmCfgAuthorWaitTimeOut

1.3.6.1.4.1.1166.1.19.6.2.2.0 cmCfgReauthorWaitTimeOut

1.3.6.1.4.1.1166.1.19.6.2.3.0 cmCfgAuthorGraceTime

1.3.6.1.4.1.1166.1.19.6.2.4.0 cmCfgOperWaitTimeOut

1.3.6.1.4.1.1166.1.19.6.2.5.0 cmCfgRekeyWaitTimeOut

1.3.6.1.4.1.1166.1.19.6.2.6.0 cmCfgTekGraceTime

1.3.6.1.4.1.1166.1.19.6.2.7.0 cmCfgAuthorRejectWaitTimeOut

cmOtherConfigGroup

1.3.6.1.4.1.1166.1.19.6.3

1.3.6.1.4.1.1166.1.19.6.3.1.0 cmCfgDsFreq

1.3.6.1.4.1.1166.1.19.6.3.2.0 cmCfgUsChannelId

1.3.6.1.4.1.1166.1.19.6.3.3.0 cmCfgNetAccessCtrl

1.3.6.1.4.1.1166.1.19.6.3.4.0 cmCfgSoftUpgradeFile

1.3.6.1.4.1.1166.1.19.6.3.5.0 cmCfgTotalSnmpWriteAccessCtrl

1.3.6.1.4.1.1166.1.19.6.3.6.0 cmCfgTotalSnmpMibObj

1.3.6.1.4.1.1166.1.19.6.3.7.0 cmCfgVendorId

1.3.6.1.4.1.1166.1.19.6.3.8.0 cmCfgVendorSpecific

1.3.6.1.4.1.1166.1.19.6.3.9.0 cmCfgModemCapabilities

1.3.6.1.4.1.1166.1.19.6.3.10.0 cmCfgModemIp

1.3.6.1.4.1.1166.1.19.6.3.11.0 cmCfgTotalEthernetMacAddrs

1.3.6.1.4.1.1166.1.19.6.3.12.0 cmCfgEthernetMacAddrs

1.3.6.1.4.1.1166.1.19.6.3.13.0 cmCfgTelcoSetting

1.3.6.1.4.1.1166.1.19.6.3.14.0 cmCfgSnmpIpAddr

1.3.6.1.4.1.1166.1.19.6.3.15.0 cmCfgMaxCpe

1.3.6.1.4.1.1166.1.19.6.3.16.0 cmCfgTftpServerTimeStamp

1.3.6.1.4.1.1166.1.19.6.3.17.0 cmCfgTftpServerProvModAddr

1.3.6.1.4.1.1166.1.19.6.3.18.0 cmCfgUuFlashParms

1.3.6.1.4.1.1166.1.19.6.3.19.0 cmCfgMulticastPromiscuous

1.3.6.1.4.1.1166.1.19.6.3.20.0

cmDhcpGroup

1.3.6.1.4.1.1166.1.19.10

cmDhcpObjectsGroup

1.3.6.1.4.1.1166.1.19.10.1

1.3.6.1.4.1.1166.1.21.1 cmTrapObjectValueChange

1.3.6.1.4.1.1166.1.21.62.1 ?

1.3.6.1.4.1.1166.1.21.62.2 ?

1.3.6.1.4.1.1166.1.21.62.3 ?

1.3.6.1.4.1.1166.1.21.62.4 ?

1.3.6.1.4.1.1166.1.21.2 cmTrapLog

1.3.6.1.4.1.1166.1.21.62.5 ?

1.3.6.1.4.1.1166.1.21.62.6

Regular expression generator.

http://www.txt2re.com/index-java.php3