Make your own free website on Tripod.com

7. Ambit 250 - Guide to Hacking v2

 

The following text was put together by

Astra

 

NOTE: This was only tested on NTL ex-C&W. Other providers will need to amend the config file & frequency as required.

 

7a. Updating Ambit 250 to hacked firmware

 

To flash the firmware onto the Ambit250 you must use a MAX232/233 interface. Connect this up as per-normal.

Connect up the cable feed to the modem, and the Ethernet cable to the PC LAN card.

 

Make a new folder on your PC.

Copy "250hack_dump_telnet.bin" into it.

Copy "tftpd32.exe" onto it (this was posted along with the ambit200-sigma hack)

 

In Windows Networking set the network adaptor connected to the modem to a manual configuration with these details:

IP address: 192.168.100.10

Subnet Mask: 255.255.255.0

Gateway: 192.168.100.1

DNS: <don't enter anything>

 

Start tftpd32.exe

 

Now start HyperTerminal and connect to the COM port of the PC using these settings:

Bits per second: 115200

Data bits: 8

Parity: None

Stop bits: 1

Flow control: None

 

Power the modem up.

Enter '1', '2', or 'p' within 2 seconds or take default...

Choose option P (press this quickly as if you miss it, it will continue booting)

 

Next enter: 192.168.100.1 as the "Board IP Address" and just press enter for the rest:

Board IP Address [0.0.0.0]: 192.168.100.1

Board IP Mask [255.255.255.0]:

Board IP Gateway [0.0.0.0]:

Board MAC Address [00:10:18:ff:ff:ff]:

Internal/External phy? (i/e)[i]

 

Now you should get the main menu:

Main Menu:

==========

d) Download and save to flash

g) Download and run from RAM

c) Store icePROM bootloader to flash

b) Boot from flash

e) Erase flash sector

m) Set mode

s) Store bootloader parameters to flash

i) Re-init ethernet

r) Read memory

w) Write memory

 

Choose option D, and enter the following bits in bold:

Board TFTP Server IP Address [0.0.0.0]: 192.168.100.10

Enter TFTP filename []: 250hack_dump_telnet.bin

 

You should now see the following appear:

Free store: a0500000

Starting TFTP of 250hack_dump_telnet.bin from 192.168.100.10

Getting 250hack_dump_telnet.bin using octet mode

................................................................................

................................................................................

................................................................................

................................................................................

................................................................................

................................................................................

................................................................................

................................................................................

................................................................................

................................................................................

................................................................................

................................................................................

.................................................................

Tftp complete

Received 2097152 bytes

HCS failed on Image 0 Program Header

 

Next when asked "Do you wish to store it?", type: Y, & "sector to start store": 0 (zero)

Image does not have standard header. Do you wish to store it? [n] Y

Programming 2097152 bytes

Enter sector to start store: 0

 

Store parameters to flash ? [n]

 

The modem will now write the new firmware to flash.

Now you should get the main menu again.

 

The modem is now flashed and you can close this copy of HyperTerminal and disconnect your MAX232/233.

 

Set the LAN card back to dynamic IP and Gateway and reboot the modem.

 

Give it a minute to power up.

 

Now start a new copy of HyperTerminal, this time we select:

Port: TCP/IP (Winsock)

Host address: 192.168.100.1

Leave the port number as 23

Broadcom Corporation Embedded Telnet Server (c) 2000-2003

WARNING: Access allowed by authorized users only.

 

Press enter and enter the following login and password:

login: admin

password: infinite

 

WARNING: It is possible to crash the system, cause a deadlock,

or cause the connection to be shut down via Telnet.

Run commands with caution!

Console now switched to Telnet session...

Scanning DS Channel at 240000000 Hz...

Scanning DS Channel at 249000000 Hz...

...

 

We are now back in the console using telnet.

It should be scanning for a frequency to lock onto. We want to stop this so enter:

cd \cm_hal

scan_stop

cd \

 

Now open Internet Explorer and browse to the following page: http://192.168.100.1

 

Login: Infinite

Password: SetValue

 

NOTE: Case Sensitive!!! Capital I,S and V

NOTE: FireFox does not load the pages - you must use Internet Explorer

 

Click on SECURITY

 

Type in your DS frequency and click, apply.

 

Switch back to the HyperTerminal window.

cd \non

write

cd \

 

We now need to change the MAC address. We do this by writing the new Ethernet MAC into RAM first.

 

Assuming our MAC address is AA:BB:CC:DD:EE:FF, enter:

write_memory -s 4 0x807e8b98 0xAABBCCDD

write_memory -s 2 0x807e8b9c 0xEEFF

 

Next we must force the modem to commit this to flash, so enter:

cd \non

write

cd \

 

Now to configure the other settings required to get online.

Code:

cd \non

cd hal

cm_tuner 19

write

annex_a

write

usb_mac_address <your usb mac address here>

write

NOTE: for the USB MAC, include the ":" i.e.: 11:22:33:44:55:66

the USB MAC is determined by adding one to the last digit i.e.: 11:22:33:44:55:67

Power off the modem for a few seconds and then back on again.

Give it a minute to connect and obtain an IP address.

You should now be able to access the web.

 

 

7b. Force modem to use the 10mb config file

 

Reconnect to the modem via telnet using HyperTerminal (as you did before.)

Type in:

cd \non

cd doc

dhcp_settings

My IP Address: [192.168.100.1]

Subnet Mask: [255.255.255.0]

Router IP Address: [192.168.100.254]

 

Those are the only 3 that really need to be changed.

Do you want to change the other settings? [no] Y

TFTP Server IP Address: [10.10.10.254] type in the IP of your TFTP server here

Config file name: [cm.bin] cmreg-ntlhm120-bund03.cm

Time Server IP Address: [10.10.10.254]

SysLog Server IP Address: [10.10.10.254]

 

Now type in the following lines:

enable force_cfgfile true

write

 

Now reboot the modem.

You should still be able to connect to the web. You can check which config file you are running by accessing: http://192.168.100.1 and look in the Connection page.

 

Now it is important to change the modems telnet username & password to prevent unauthorized access.

 

Reconnect to the modem via telnet using HyperTerminal (as you did before).

 

Type in:

cd \non

cd msg

user_name <your desired username here>

password <your desired password here>

write

The settings will not be changed until you reboot your modem.

 

                                               
Granty