Make your own free website on

14. Motorola SB5101


14a. Method 1

Unfortunately theirs no hacked firmware available yet for the SB5101 but have a read of the following that was posted on Modshack by:


In the blackcat program folder, go to the broadcom folder and add this line to the broadcom.bc file jtagpart 0x3349 "bcm3349" "bcm3349_docsis" and create a new .bc file containing this line script "./jtagparts/common/ejtag.bcs" and save the file as bcm3349.bcs


Build 126+ is the only version that has support for 5101 devices. Unfortunately for all you pirates, these builds have online protection integrated so you must be a member and have purchased a firmware.


Well now you can sort your 5101 modem out without being a TCNIO member and having the latest Shwarzekatze.


Do the above in build 120.


14b. Method 2

Here's another way to mod the SB5101 without using modified firmware.


The following screen shots and text were put together by




The JTAG and serial ports make it cable modem modding perfection. There is however a distinct lack of firmware that will work on it. You can of course use the Ambit 250 hacked firmware on which works fine (as the Ambit 250 is pretty much the same modem as a SB5101E). However, this tutorial is for those of you that would rather use the more up to date original firmware that came with the modem. On mine, that firmware is SB5101E- Of course, this firmware has no console, so, you would think you are stuck with simply changing the MAC address via blackcat and putting up with the subscribed config of the MAC you are using, which means scratching around looking for the few bund03 configs in your sniffers. Well you don't have to do that. Here's a simple guide to using the original SB5101E firmware with all the config override options. I am assuming you are familiar with the basic concepts of blackcat programming and serial flashing; this tutorial will not go into huge detail about these processes as you are expected to know. I recommend you use build 128 of SchwarzeKatze too.


The 5101 will need to be soldered up with the JTAG and SERIAL port headers. This is an illustration of the pin-outs of each port.

Note that the serial port pin outs are arranged differently to the standard pin outs most of us are used to, and you may need to create a small adapter. I used a small piece of strip board, a 4 pin header and a floppy power cable I cut from an old power supply (see image). This adapter changes the pin outs to the same order as the ambit modems, allowing the standard pre-built Max232/3 cables to work without modification.

The JTAG points are however standard.


Taking a full backup.

Connect the cable feed and boot the modem and allow it to obtain a lock. You will know it's locked when you see all the 4 green LED's lit on the front. Now power down the modem and disconnect the cable feed. Connect the blackcat cable and power the modem up again, this time take a full backup of the modem firmware using SchwarzeKatze. Go to the 'Flash' tab and click 'Read All' to do this.



Flashing a new bootloader.

After the full backup is done you need to flash a new bootloader. As standard, the 5101E has a quiet bootloader, this needs to be replaced with another to allow us access to the main flash menu. Just use SchwarzeKatze to flash the included bootloader.bin file onto the modem using the 'Bootloader (Bootstrap)' function in the 'SB5100' tab. Wait until this is finished.


Netbooting a shelled firmware.

Power down the modem and connect your Max232/3 cable. Load up your terminal emulator and power up the modem.

You should now see the familiar "Press '1', '2' or 'p'" prompt appear.

Press 'p'.

Enter as the main board IP as usual, and again,

as usual set your windows tcp/ip settings to


NetMask: , all standard stuff so far.


Start up your tftp server (there's one included) and make sure that its root folder is set to the same folder that you extracted the attached rar file into. In the flash menu,

select option 'g'.

Enter as the TFTP IP

and enter SB5100E- as the filename.

It will download it and scroll a few things on the terminal screen, and then it will ask if you want to save parameters to flash, enter no. The shelled firmware will then run, although this firmware is meant for a 5100E, it will still run on a 5101E, it just doesn't support the tuner used in the 5101E so it cannot lock onto the DS frequency, but that doesn't mean we can't use the firmware to change the modem's settings, getting the idea now? He he!


When all booted it will start to scan for channels, but will be complaining because the tuner is not supported, stop this by entering these commands.



cd /cm_hal



Now enter the following commands to setup your modem. Note some of these commands need alteration.



cd /non

cd halif

mac_address 1 aa:bb:cc:dd:ee:ff (change to a valid MAC)

cd ../docsis

enable bpi true

enable force_cfgfile true



My IP Address: [] <press return>

Subnet Mask: [] <press return>

Router IP Address: [] <press return>


Those are the only 3 that really need to be changed. Do you want to change the other settings? [no] Y


TFTP Server IP Address: [] <type in the IP of your area's TFTP server here>

Config file name: [cm.bin]

Time Server IP Address: [] <press return>

SysLog Server IP Address: [] <press return>


cd ../snmp

max_dload_tries 0

docsDevSwAdminStatus 3



Note that you can find your TFTP IP from using DCHP Force or most other MAC sniffers.


That should be it, reboot the modem and reconnect the cable feed and all should be well. You can change the MAC address again using Blackcat or by repeating the steps from Net booting a shelled firmware.


All the best,