Make your own free website on

18. Secret MIB's & Secret way to upgrade cable modem via BITFILE


The following text was compiled by

Dshocker (of TCNISO)



Look down at the bottom you will see secret MIB's for the modems.

Like getting and setting your modem cert... Dshocker


Well here it is everything you will need for you're modem

You can upgrade modem firmware do what ever, Read the Read me.

Under this text because if you don't I will not help you.

Hope you have fun



PS: for each modem if you wanna use it on Sb5100.

You name the bitfile SB5100.bit SB4100, SB4100.bit, SBG900,

SBG900.bit etc...


Officially Released by Dshocker


18a. Factory Mode


Before I talk about bit files I should explain what factory mode is:


Factory mode, when enabled, gives you access via SNMP to the factory MIB.

The factory MIB is a list of OID's, each OID having a unique function.

Here is a very small list of things you can do remote via SNMP when in, factory mode,

" get/set the HFC, Ethernet and USB MAC addresses.

" get/set the modem serial number.

" get/set the modem cert.'s (cm, vendor, and secure code).

" ping IP address'.

" execute shell commands

" execute injected code (see cmFactoryBCMGroup 'CommandType, AddressOrOpcode, ByteCount and Data')


18b. Bit Files

The bit file method works on firmware and up on SB3100, SB4100, SB4101

And, SB4200.

And on any SB5100, SB5101 and SBG900.


The bitfile method works like this.

1) Using SNMP you set the OID to the interger.

The value of your HFC MAC address. (Calc.exe)

2) The modem then TFTP gets a 'bitfile' from

4100 modem will TFTP get SB4100.bit, and 4200 modem will TFTP get SB4200.bit


3) If the bit file is the correct size and contains the exact sequence of, bytes, then factory mode is enabled and the modem reboots!


4) When the modem reboots you have full access to all the factory MIB and OID's, within it.


NOTE: Factory mode will stay enabled until you turn it off by setting to integer 1 and reboot the modem!


Sorry no source code for you :P - a compiled bitfile is in the rar.


18c. Enable Factory MIB

This tutorial will show you how to enable the factory MIB on a modem and change the

MAC and serial, via SNMP


1) Put the .bit file into your TFTP server's directory.


2) Use SNMP to set the OID to the decimal of your HFC MAC address

Example: snmpset -v2c -c public i


The modem will now get the bit file and if it's correct it will enable factory mode and reboot!

Once the modem is rebooted....


3) You can now set the OID to your NEW ETHERNET MAC address

Example: snmpset -v2c -c public s



4) You can now set the OID to your NEW HFC MAC address.

Example: snmpset -v2c -c public s



5) You can now set the OID to your NEW SERIAL NUMBER.

Example: snmpset -v2c -c public s



6) To finish up disable the factory MIB by setting the OID to int 1

Example: snmpset -v2c -c public i


Now reboot your modem and all is done.


18d. Factory mode OID list for Motorola cable modems

AKA FACTORY MIB's for Factory mode

This list is generic among Motorola cable modems

SB3100, SB4100, SB4101, SB4200, SB4220, SB5100, SB5101, SBG900 and probably more, HOWEVER some OID's will not exist on some modems, E.g. (cmFactoryBCMGroup oid's)

To execute code, only exist in SB5100, SB5101 and SBG900)


cmPrivateArpFilterGroup cmArpFilterEnabled cmArpFilterInterval cmArpFilterLimit cmArpFilterInArps cmArpFilterOutArps cmArpFilterInArpsThisFilter



cmConfigFreqObjectsGroup cmConfigFreq1 cmConfigFreq2 cmConfigFreq3 cmFreqPlanType cmUpstreamChannelId1 cmCarrierFrequencyOffset cmSnmpHFCPort cmSnmpHFCTrapPort cmSnmpDisplayHtml cmResetToDefaults cmStandbyMode cmHybridMode cmUpstreamChannelId3 cmUpstreamPower1 cmUpstreamPower2 cmUpstreamPower3 cmDocsis20Capable cmUpstreamChannelId2


cmPrivateFactoryGroup cmFactoryVersion cmFactoryDbgBootEnable cmFactoryEnetMacAddr cmFactoryHfcMacAddr cmFactorySerialNumber cmFactoryClearFreq1 cmFactoryClearFreq2 cmFactoryClearFreq3 cmFactorySetReset cmFactoryClrConfigAndLog cmFactoryPingIpAddr cmFactoryPingNumPkts cmFactoryPingNow cmFactoryPingCount cmFactoryCliFlag cmFactoryDisableMib cmFactoryUpstreamPowerCalibration1 cmFactoryBigRSAPublicKey cmFactoryBigRSAPrivateKey cmFactoryCMCertificate cmFactoryManCertificate cmFactoryRootPublicKey cmFactoryCodeSigningTime cmFactoryCVCValidityStartTime cmFactoryCMManufacturerName cmFactoryHtmlReadOnly cmFactoryCmUsbMacAddr cmFactoryCpeUsbMacAddr cmFactoryCmAuxMacAddr cmFactoryTunerId cmFactoryHwRevision cmFactoryUsAmpId cmFactory80211RegDomain cmFactoryResidentialGatewayEnable cmFactoryFWFeatureID cmFactorySwServer cmFactorySwFilename cmFactorySwDownloadNow cmFactoryGwAppPublicKey cmFactoryGwAppPrivateKey cmFactoryGwAppRootPublicKey cmFactoryDownstreamCalibrationGroup cmFactorySuspendStartup cmFactoryDownstreamFrequency cmFactoryDownstreamAcquire cmFactoryTunerAGC cmFactoryIfAGC cmFactoryQamLock cmFactoryDownstreamCalibrationTableMaxSum cmFactoryDownstreamCalibrationTableMinSum cmFactoryTop cmFactoryDownstreamCalibrationOffset cmFactoryCalibrationEntry cmFrequencyCalibrationIndex cmFactoryCalibrationFrequencyData


cmFactoryBCMGroup cmFactoryBCMCommandType cmFactoryBCMAddressOrOpcode cmFactoryBCMByteCount cmFactoryBCMData





cmStatsObjectsGroup cmResetIfCmStatusCounters cmResetCMSignalQualityCounters cmQam256PowerFactorTableVersion


cmTftpConfigPrivateGroup cmCfgClassId cmCfgMaxDsRate cmCfgMaxUsRate cmCfgUsChannelPriority cmCfgMinUsDataRate cmCfgMaxUsChannelXmitBurst cmCfgCovPrivacyEnable


cmCfgBpiTimeOutGroup cmCfgAuthorWaitTimeOut cmCfgReauthorWaitTimeOut cmCfgAuthorGraceTime cmCfgOperWaitTimeOut cmCfgRekeyWaitTimeOut cmCfgTekGraceTime cmCfgAuthorRejectWaitTimeOut


cmOtherConfigGroup cmCfgDsFreq cmCfgUsChannelId cmCfgNetAccessCtrl cmCfgSoftUpgradeFile cmCfgTotalSnmpWriteAccessCtrl cmCfgTotalSnmpMibObj cmCfgVendorId cmCfgVendorSpecific cmCfgModemCapabilities cmCfgModemIp cmCfgTotalEthernetMacAddrs cmCfgEthernetMacAddrs cmCfgTelcoSetting cmCfgSnmpIpAddr cmCfgMaxCpe cmCfgTftpServerTimeStamp cmCfgTftpServerProvModAddr cmCfgUuFlashParms cmCfgMulticastPromiscuous




cmDhcpObjectsGroup cmTrapObjectValueChange ? ? ? ? cmTrapLog ?