[*] docsis query

Ron Dallmeier ron at fiber.ca
Thu Jun 9 13:05:03 CDT 2005

The following is my understanding of how the cable modems are configured:

- cable modem turns on - it does a BOOTP request
- cable modem is supplied with a IP address, firmware version that is should
be running and the tftp server
- cable modem gets the firmware only if required
- cable modem gets the config from the tftp server

The config file contains are the parameters including QOS settings or
rate-limiting, all the RF settings (which channel to move to), etc.

For those interested in hacking, the cable modem is usually configured not
to accept BOOTP from the NIC side and therefore you would have to answer the
BOOTP request on the RF side. You would also have to know several things
about the head-end (CMTS) so that the config file matched the settings. The
config file is binary and the format is not publicly available. Lastly, you
would probably need your own CMTS to jump in at the BOOTP sequence and
moving your cable modem from your mini RF network to Shaw's would have to be
done very fast. If the cable modem senses that the network has dropped it
will reboot.

Another easier way would be if someone found out the SNMP write password and
obtained the MIB table for the modem. You could tweak settings that would
last until your modem was reset. At Videon (before Shaw) we did not poll
cable-modems so ARP spoofing one would not result in capturing a SNMP
packet. We polled everything from the CMTS. A simple access-list on the CMTS
could easily prevent SNMP traffic to Shaw's network components.

For more detail info on the DOCSIS standards go to


On 6/9/05 12:24 AM, "DAN KEIZER" <ve4drk at shaw.ca> wrote:

> With the info that's been discussing recently regarding latency and the like
> on mts/shaw's systems WRT voip, I did a little digging ... I have shaw extreme
> internet (I like it .. alot) ... I have the docsis 2.0 motorola modem (SB5100
> surfboard cablemodem).  It seems that this little modem has an http and snmp
> server and it appears that shaw has disabled the customer-side of the snmp
> server :-( I'd be interested in knowing if anyone has been able to get any
> stats out of this system. The built-in httpd server ( provides
> very limiited information from the pages I've been able to hit.
> There was a website (
> http://homepage.ntlworld.com/robin.d.h.walker/cmtips/latency.html ) i was
> perusing which discusses latency issues with the docsis .. interesting .. i
> didn't realize that any extra transmissions from the client side over the
> bandwidth limiting control just gets dumped and would have to be re-tx'ed ..
> so it certainly makes good sense to throttle the router back .. don't know
> about what the modem would do in this case or whether it is even configurable
> for bandwidth limiting on it's side.  anyone know anything more about this
> modem/config options?
> Learned something new ..
> Dan.
> _______________________________________________
> Asterisk mailing list
> Asterisk at muug.mb.ca
> http://www.muug.mb.ca/mailman/listinfo/asterisk

More information about the Asterisk mailing list