The Cable Modem To SDR Transformation

What do you do with an old cable modem in a closet? If you are [stdw] you reverse engineer it and turn it into a software-defined radio. The modem in question was a Motorola MB7220. After looking at a similar project using a different modem, it seemed like it should be doable.

Cracking open the case revealed two likely UART ports, one of which was active. The output from that UART provided a lot of info. The chip was a Broadcom BCM3383 which is a MIPS processor. It had eCos as an operating system. However, the bootloader eventually disables the UART, so there wasn’t much more investigation possible via the serial terminal.

The next step was to dump the flash memory. That required a little solder surgery to prevent the board from starting while the flash chip had power. It appeared that some key credentials and configuration data were present, but they were really backups. After doing a factory reset to remove the backups, the right data was apparent.

After some lengthy exploration, the diagnostic that builds a spectrum display gave up its data. At first, the data was just a small sample of what was really required, but it did show a local FM station as a spectrum. Eventually, the data loss rate was down to about 12% when streaming which is not great, but good enough. You can hear an audio clip of the reception. Not exactly crystal-clear quality, but not bad.

Of course, no one will use this for an FM radio. But it is a fascinating view into how far you can hack into a device like this if you have some skills and patience. There must be something about quarantine that is making people hack old gear, as we just recently saw a similar Netgear hack. Even cheap games aren’t safe.

A Radio Transceiver From A Cable Modem Chipset

It’s a staple of our community’s work, to make electronic devices do things their manufacturers never intended for them. Analogue synthesisers using CMOS logic chips for example, or microcontrollers that bitbang Ethernet packets without MAC hardware. One of the most fascinating corners of this field comes in the form of software defined radios (SDRs), with few of us not owning an RTL2832-based digital TV receiver repurposed as an SDR receiver.

The RTL SDR is not the only such example though, for there is an entire class of cable modem chipsets that contain the essential SDR building blocks. The Hermes-Lite is an HF amateur radio transceiver project that uses an AD9866 cable modem chip as the signal end for its 12-bit SDR transceiver hardware with an FPGA between it and an Ethernet interface. It covers frequencies from 0 to 38.4 MHz, has 384 kHz of bandwidth, and can muster up 5W of output power.

It’s a project that’s been on our radar for the past few years, though somewhat surprisingly this is the first mention of it here on Hackaday. Creator [Steve Haynal] has reminded us that version 2 is now a mature project on its 9th iteration, and says that over 100 “Hermes-Lite 2.0” units have been assembled to date. If you’d like a Hermes-Lite of your own it’s entirely open-source, and they organise group buys of the required components.

Of course, SDRs made from unexpected components don’t have to be exotic.

32C3: Beyond Your Cable Modem

[Alexander Graf] gave an absolutely hilarious talk at 32C3 about the security flaws he found in cable modems from two large German ISPs. The vulnerability was very serious, resulting in remote root terminals on essentially any affected cable modem, and the causes were trivial: unencrypted passwords in files that are sent over TFTP or Telnet to the modems, for instance.

While [Alexander] was very careful to point out that he’d disclosed all of these vulnerabilities to the two German cable ISPs that were affected, he notably praised one of them for its speedy response in patching up the holes. As for the other? “They’d better hurry up.” He also mentions that, although he’s not sure, he suspects that similar vulnerabilities are present in other countries. Oh dear.

A very interesting point in the talk is the way that [Alexander] chose to go about informing the cable ISPs. Instead of going to them directly and potentially landing himself in jail, he instead went to the press, and let his contacts at the press talk to the ISPs. This both shielded him from the potential initial heat and puts a bit of additional pressure on the ISPs to fix the vulnerability — when the story hits the front page, they would really like to be ahead of the problem.

cable_modem-shot0012

There’s even a bone for you die-hard hardware hackers out there who think that all of this software security stuff is silly. To get the modem’s firmware in the first place, at minute 42 of the talk, [Alexander] shows briefly how he pulled the flash chip off the device and read it into his computer using a BeagleBone Black. No JTAG, no nothing. Just pulling the chip off and reading it the old-fashioned way.

If you’ve got an hour, go watch [Alexander]’s talk. It’s a fun romp through some serious vulnerabilities.

Hackaday Links: April 20, 2014

hackaday-links-chain

[Josh] hit the same issue we’ve faced before: cable modems don’t match a form factor and usually don’t make themselves easy to mount on something. We could complain about routers as well, but at least most of those have keyhole slots so you can hang them on some screws. Inspiration struck and he fabricated his own rack-mount adapter for it. Velcro holds it in place, with a cutout bezel to see the status lights and an added fan to keep things cool.

Here’s a pair of strange but possibly interesting ones that were sent in separately. The first is an analysis of how much energy short-run CNC prototyping consumes versus traditional manufacturing. The other is an article that [Liz] wrote about getting started with CNC mill bits. She says she compiled all that she learned as she was getting started in the field and wants to save others the effort.

This one goes back several years, but who doesn’t love to hear about a voice-controlled wheelchair?

So you can solder QFN parts but you can’t hammer a nail straight into a piece of wood? The answer, friend, is a laser guided hammer. Someone hire this [Andybot] person, because the solution to the problem shows the ability to out-think an interesting dilemma: how do you put a laser in a hammer head and still use it to hit things?

We’ve seen a lot of these long-range WiFi hacks over the years. This one is worth looking at because of the work done to create an outdoor mount that will stand the test of time.

And finally, we’re still really fond of this 2-bit paper processor that helps you wrap your brain around what’s going on with those silicon wafers that rule our everyday lives. [glomCo] liked it as well, and actually coded an emulator so that you can play with it without printing anything out on paper. We think it takes away some of the fun, but what an excellent programming exercise!