Welcome!

Welcome to the home page of Charles N Wyble. Charles is a 24 year old systems guy, hacker and entrepreneur currently living in El Monte CA, with his wife of 3 years.

He is currently employed as a system engineer for Ripple TV with responsibility for a nation wide advertising network.

In his spare time he serves as Chief Technology Officer for the SoCalWiFI.net project, runs a hacker space in the San Gabriel Valley and tries to save the local economy.


Wednesday, June 11, 2008

Hacking my DSL modem.

So I'm up to no good lately. :)

I have transitioned some of the projects I am working on out to trusted lieutenants to make things more scalable. Still a very small focused team but that's a good thing.

I am now focusing on networking. Started by setting up a cisco 1841 integrated services router and a catalyst 2924 switch. Was relatively easy and excellent documentation (both tutorial and reference) was available. Of course it helped that I knew what I wanted to do (NAT/port forwarding/dhcp client). If you don't have a basic understanding of networking and some solid end goals (preferably following the MGOT methodology I have created or something similar) you'll end up in the deep end very quickly.

Ok. So I have an ADSL connection from AT&T (or SBC as many of you may be familiar with).

My modem is a Motorola Netopia 2210-02 ADSL Modem. Its rather boring. It's a layer2 device more or less with a very simple management interface.

I looked at the technician readout from it, and am researching it. Here is the readout with lots of links/comments etc:



Some basic stuff:

1 Manufacturer Motorola, Inc.
2 Vendor ID 001d6b
3 Model Number 2210-02
4 Friendly Name Motorola Netopia 2210-02 ADSL Modem
5 Model Description Single Port Ethernet Modem
6 Model Name 2210-02
7 Serial Number 41080152
8 Hardware Version 1.0
9 Model DSL Firmware Version DSP 7.2.3.0, HAL 7.2.1.0
10 Model Software Version 7.7.3r5
11 Hardware Options
12 Software Options
13 Modem Configured true

Online manual for the modem can be found at broadband.motorola.com/consumers/products/2210-02/downloads/2210-02_UserManual.pdf

Not much there. Just basic config info.


Some basic stats:

14 Time Since Last Boot 013 days 15:28:45
15 Current Time 2008/06/11 21:32:16 GMT
16 Time Servers 68.94.156.17
68.94.157.2 ntp1.sbcglobal.net
ntp2.sbcglobal.net
17 First Time Use 2008/05/28 15:32:06 GMT

30 Modem Health Status ok
31 DSL Link Status up
32 Time Since Last Sync 000 days 20:26:23
33 Loss of Signal false
34 Loss of Framing false


First item of interest to me:
35 ATM Cell Delineation true

What is ATM Cell Delineation? Wow.... no wikipedia article. Interesting.
One reference here: http://www.cisco.com/en/US/tech/tk39/tk49/technologies_tech_note09186a00800d73b7.shtml

Protocol overview here:
http://www.javvin.com/protocolATM.html

Interesting. Not much to go on.


36 Internet Status up
37 Ethernet Link Status up
38 PPP Connection Status connected
39 PPP Last Connection Error none
40 PPP Uptime 000 days 20:26:40

50 Test ADSL Line Sync pass
51 Test ATM Cell Delineation pass
52 Test ATM Signal pass

More interesting stuff:

53 Test ATM OAM Segment Ping pass
54 Test ATM OAM End to End Ping pass

Paydirt on OAM: http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12satmpng.html (Stands for Operation, Administration, and Maintenance).

The ATM OAM Ping feature sends an ATM Operation, Administration, and Maintenance (OAM) packet to confirm the connectivity of a specific permanent virtual circuit (PVC). The status of the PVC is displayed when a response to the OAM packet is received. The ATM OAM Ping feature allows the network administrator to verify PVC integrity and facilitates ATM network troubleshooting.

Cool. PVC will be used later on in this post. So remember what it stands for.





55 Test DSL Ethernet to ATM pass
56 Test LAN Ethernet Connection pass
57 Test Mac Bridge to LAN Ethernet pass
60 Test PPPoE to Ethernet pass
61 Test PPP to PPPoE pass
62 Test PPPoE Server Connect pass
63 Test PPPoE Server Session pass
64 Test Authentication with PPP server pass

I presume that 62 to 64 are related to the DSLAM/Radius server....


65 Test IP to WAN pass
66 Test IP to LAN Ethernet pass
68 Test IP to PPP pass
69 Test Validate WAN IP address pass
70 Test Gateway Ping pass
71 Test DNS Well Known Host Query pass
72 Test Primary DNS Ping pass
73 Test Secondary DNS Ping pass
74 Test Mail Srvr 1 Ping skipped
75 Test Mail Srvr 2 Ping skipped
76 Test News Srvr 1 Ping skipped
77 Test News Srvr 2 Ping skipped
78 Test Web Portal 1 Ping skipped
79 Test Web Portal 2 Ping skipped
80 Test PPPoE Connect to Gateway pass

Ok. So a healthy overall connection. A bit of research needed to figure everything out and I'm mostly satisifed. :)


90 Active VCs provisioned 1

Hmmm.... interesting. Wonder if there is a way to get more then one active VC provisioned..... probably not over the same copper/fiber (PON) circuit but who knows?


91 DSLAM Vendor Id 4244434d (BDCM)

So 91 is interesting. A quick search reveals some tables with various DSLAM vendor IDs. This one is a broadcom. See http://www.broadcom.com/products/applications/DSLAMs for more on their offerings.

92 DSL Line Mode DMT
93 DSL Training Mode multimode

Hmmmm..... line mode and training mode.... very interesting.

Lots of tech readouts but nothing explaining what DSL line mode actually is. Also some hits on vendor manuals for the term as well.


How bout training mode? More or less the same type results as line mode.

94 Conf VPI 0
95 Conf VCI 35
96 Conf PVC Search List 0/35, 8/35, 0/43, 0/51, 0/59, 8/43, 8/51, 8/59
97 VPI 0
98 VCI 35
99 VC Encapsulation LLC

So 94 to 99 is interesting. See http://www.tekelec.com/ss7/protocols/atm10.asp for more info. Searching for atm vpi or atm vci returns lots of results.



100 DSL Line Type Fast
101 DSL Line Interleaved Depth 1

110 Default Device Enabled true
111 Default Device Mac Address 00:00:00:00:00:00
112 Default Device IP Address 192.168.1.64
113 Default Device Address Type private
114 Service Provider Name
115 Service Provider Phone
116 Service Provider URL
117 Service Provider Help URL

Wouldn't it be cool if the DSLAM leaked out some contact info for local techs... hehe.

118 Modem MAC Address 00:1d:6b:72:d5:58
119 LAN DHCP Server Enabled true
120 DHCP Subnet Mask 255.255.255.0
121 DHCP Start IP Address 192.168.1.64
122 DHCP End IP Address 192.168.1.64
123 DHCP Default Gateway 192.168.1.254
124 DHCP Default Lease Time 009 days 09:09:00
125 Domain name
126 DHCP Leases Allocated 1
127 DHCP Leases Available 0
Rx Tx
140 Current Rate 768 384
141 Previous Rate 0 0
142 DSL Max Rate - -
143 DSL Min Rate - -
144 Current ATTN DR 1440 576
145 Current SNRM 12.0 13.0
146 Current LATN 63.0 31.0
147 Current SATN - -
148 Current TP 13.5 11.3

15 Min 24 Hour Yesterday
160 Time Elapsed 759 55660 142062
161 Chan Received Blks 44715 3274867 5080902
162 Chan Transmitted Blks 44715 3274867 5080902
163 Chan Corrected Blks 0 0 0
164 Chan Uncorrected Blks 2 180 1079
165 HEC Vcnt - - -
166 HEC Tcnt - - -
167 HEC Ucnt 0 0 0
168 ICBE - - -
169 LCD 0 0 0
170 NCD 0 0 0
171 CVL 2 180 1079
172 LCD Tx 0 0 0
173 NCD Tx 0 0 0
174 CVL Tx 0 4 11
175 LOF 0 0 0
176 LOS 0 0 0
177 LOSS - - -
178 LOL - - -
179 LPR - - -
180 ES 0 0 0
181 SESL 0 0 0
182 UASL 0 0 0
183 ECL 0 0 0
184 ECSL - - -
185 ECL Tx - - -
186 Inits - - -
187 FastR - - -
188 Failed FastR - - -
189 DSL Initialization Errors 0 0 0
190 DSL Initialization Timeouts 0 0 0
191 DSL Line Search Initializations - - -
192 DSL Loss of Margin Failures - - -
193 ISP Connection Establishment - - -

210 VC ATM CoS ubr
211 VC ATM SCR -
212 VC ATM PCR -
213 VC ATM MCR -
214 VC ATM Burst Tolerance -
215 VC ATM CDV -
216 VC Max SDU -
217 ATM VC Receive Cells 7865646
218 ATM VC Receive PDUs 479595
219 ATM VC Receive Frames 479595
220 ATM VC Receive Octets 416879244
221 ATM VC Receive Errors 0
222 ATM VC Receive Discards 0
223 ATM VC No Receive Buffers -
224 ATM VC Transmit Cells 943680
225 ATM VC Transmit PDUs 393284
226 ATM VC Transmit Frames 393284
227 ATM VC Transmit Octets 50015048
228 ATM VC Transmit Errors 0
229 ATM VC Transmit Discards 469
230 ATM VC Transmit Queue Full -
231 DSL Rate Mode -
232 Conf Target SNR Margin -

Oct Err PkU PkNU Disc
240 LAN IP Tx 871985080 0 9996203 1009924 0
241 LAN IP Rx 804012818 0 9848262 13 0
242 LAN Ethernet Tx 961476806 0 9966184 34524 0
243 LAN Ethernet Rx 1034180444 0 9996199 1009924 0
244 LAN PPPoE Rx - - - - -
245 IP 2684 Tx 49290690 0 385669 0 1149
246 IP 2684 Rx 401051512 0 471982 0 350
247 Ethernet 2684 Tx 50015048 0 393284 0 469
248 Ethernet 2684 Rx 416879244 0 479595 0 0

260 Ethernet Rate 100Mbps
261 Ethernet Duplex Full

270 Internet Connection Type PPPoE
271 Modem Configuration Single Device Router
272 NAPT Enabled true
273 Modem IP Address 192.168.1.254
274 Modem Net Mask 255.255.255.0
275 Modem Broadcast Address 192.168.1.255

290 PPP UserName patriciawyble@att.net
291 PPP Service Name
292 PPP Access Concentrator 90084030600402-rback39.irvnca
293 PPP Connect Mode Smart keep alive
294 PPP Idle Timeout
295 Conf PPP Authentication Protocol chap pap
296 PPP Authentication Protocol pap
297 WAN IP Address 75.34.231.146
298 WAN Subnet Mask 255.255.255.255
299 WAN Default Gateway 75.34.231.254
300 Conf DNS Servers -
301 DNS Servers 68.94.156.1 dnsr1.sbcglobal.net
68.94.157.1 dnsr2.sbcglobal.net
302 PPP MRU 1492
303 Conf PPP MRU 1492
304 LCP Echo 10
305 LCP Echo Retry 6

320 LAN Device Table
Name Type IP Mac
Leased Time
IP Rx
IP Tx PPPoE
Rx
Last Seen
Status
320a elmonte-edgerouter.corp.knownelement.com Ethernet 192.168.1.64 00:11:21:a8:de:a9 +005 days 15:13:31 - - - - active

321 IP Gateway Table
Type
Metric
Timeout
Status

322 IP Route Cache Table
Net Addr
Netmask
Type
GW
Metric
Timeout
Iface
Origin
322a 127.0.0.1 255.255.255.255 - 127.0.0.1 0 - Loopback -
322b 127.0.0.2 255.255.255.255 - 75.34.231.254 0 - WAN vcc1 -
322c 192.168.1.254 255.255.255.255 - 192.168.1.254 0 - Ethernet 100BT -

323 Ethernet IP ARP Table
IP
MAC
Flags
323a 192.168.1.64 00:11:21:a8:de:a9 - VALID


330 Receive CCF ps Hlog -

331 Receive CCF ps HLin -

332 Receive QLN ps -

333 Receive SNR ps
333a

0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0

333b

0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0

333c

19.0 21.0 24.0 21.0 27.0 27.0 27.0 27.0 27.0 30.0 27.0 30.0 30.0 30.0 30.0 30.0

333d

30.0 27.0 27.0 27.0 27.0 27.0 27.0 24.0 24.0 27.0 27.0 27.0 27.0 27.0 27.0 0.0

333e

21.0 0.0 19.0 21.0 21.0 21.0 19.0 14.0 19.0 14.0 14.0 14.0 0.0 14.0 0.0 0.0

333f

0.0 14.0 14.0 14.0 14.0 0.0 14.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0

333g

0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0

333h

0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0

333i

0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0

333j

0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0

333k

0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0

333l

0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0

333m

0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0

333n

0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0

333o

0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0

333p

0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0


334 ADSL DMT Bin Bits
334a

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

334b

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

334c

3 4 5 4 6 6 6 6 6 7 6 7 7 7 7 7

334d

7 6 6 6 6 6 6 5 5 6 6 6 6 6 6 0

334e

4 0 3 4 4 4 3 2 3 2 2 2 0 2 0 0

334f

0 2 2 2 2 0 2 0 0 0 0 0 0 0 0 0

334g

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

334h

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

334i

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

334j

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

334k

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

334l

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

334m

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

334n

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

334o

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

334p

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0


335 ADSL DMT Bin Atn -



Bah..... lots more to research. I'll probably come back and edit this post later on.

4 comments:

Anonymous said...

Good technical blog article. Please post the same article to the site: http://www.networkdictionary.com

Anonymous said...

AT&T says this unit supports firwall NAT. I don't know how to turn it ON. here is the log.

2008/08/17 0:58:10 GMT | L3 | SNMP: initializing service over UDP
2008/08/17 0:58:10 GMT | L3 | DIA: Diagnostics service initializing
2008/08/17 0:58:10 GMT | L3 | FW: initializing service
2008/08/17 0:58:10 GMT | L3 | FW: Firewall service is disabled
2008/08/17 0:58:10 GMT | L3 | SSL: Initializing Service
2008/08/17 0:58:10 GMT | L3 | SSL: Installed Verisign, Equifax & Thawte Root CA certificates
2008/08/17 0:58:10 GMT | L3 | SSL: Initialization Success
2008/08/17 0:58:10 GMT | L3 | UPnP: Initialization complete
2008/08/17 0:58:21 GMT | L3 | LHD: IP 192.168.1.64, MAC

Anonymous said...

I went to the ip on the bottom of my modem same as the one of his readouts. Instead it went to my modem acount were i can manage it. Even download upgrades for software and check status and other things. Logs can be erased to.

fester said...

did you ever find out how to turn on the NAT firewall. mine also says disabled. i did NOT run the CD (and hope never to have to)- is that the only way to turn it on, perhaps?

thanks
fester