Ambit 250

Installing the Haxorware firmware onto a NTL Ambit 250 EUDOCSIS 2.0 Modem.

Disclaimer

This is my own old Ambit 250 from a previous NTL package, installing Haxorware or tampering with your own subscription modem from Virgin Media or other cable ISP's is probably a violation of their ToS, as is spoofing MACs or security certificates and will get you in trouble with "The Man."

As I, myself have legit Virgin Media "Superhub" (which can operate in "Modem Mode") from my internet package with them, I have no real use of this, but I like playing with hardware like this and it was pretty intresting, anway.

Hardware you will need:

  • An Ambit 250/255 (255 not tested here but assumed to work aswell)
  • Max232 (you can get one of these pretty cheaply off eBay, or can build one yourself with the chip and a couple of caps) + some jumper cables
  • Pin headers for the modem
  • A windows computer with a serial port

Software you will need:

First you will need to open up the modem, by unscrewing the screws on the bottom and "popping" the cover off (there are internal catches either side which need to be pressed in and are pretty fiddly.) Find the 5 pin “J353” point on the board and solder in a pin header.

/img/user/cdkr/electronics/ambit/01.jpg ;/img/user/cdkr/electronics/ambit/02.jpg 

J353 Serial connection pin out:

  • Pin 1: GND
  • Pin 2: Data TX
  • Pin 3: 3.3V
  • Pin 4: Data RX
  • Pin 5: GND

Though before you start messing around with the modem firmware, you need to set up a TFTP server to transfer over the new firmware to the modem. Here I'm using TFTPD32 running on windows, though I would imagine other TFTP server software would work just fine aswell. Download, install and set it up.

Assign your PC a static IP address

IP Config

In your TFTP sever, set the interface to 192.168.100.10 and then set the directory to where you have downloaded "haxorware11rev39-DIAG.bin" to.

TFTPD32 Config

Now connect up an Ethernet cable between the modem and your computer running the TFTP daemon, but don't boot it up just yet.

You will need to use the max232 chip to convert between the different voltages of the signals on the modem and the ones used by the computers serial interface. Consult the diagram and using some jumper cables connect the modem up to the max232 (make sure to remember to get RX/TX the right way around ie, TX on the modem, goes to RX on the max232 and not waste 10 minutes wondering why this isn't working like I did.)

Ambit and Max232 setup Sch

Ambit and Max232 setup

As I had no double ended jumper cables, I just soldered some screw terminals to some veroboard (ignore the white wires, they serve no purpose) to make the connection.

Now start up a serial connection (using for example PuTTY or hyperterminal) on the computer connected to the max232 and boot the modem and see if you can get any readout on your terminal as it boots.

PuTTY Config

The next step will depend on what version of firmware is currently flashed onto the modem, if when you boot up you see the text:

Enter '1', '2', or 'p' within 2 seconds or take default...

And you can select p and get taken to another menu, you have an old modem and can skip down a bit.

However if when you boot the modem and you get a load of scrolling text for a few seconds before it "locks" and won't response, you have this newer version of the firmware and will need to revert the firmware to earlier version before you can install Haxorware.

This was due the "feature" of some earlier modems, that you could spoof the MAC of another legit modem and get a free Internet connection. In response to this, Virgin/Ambit rolled out an upgrade of the firmware to all modems that where connected to the network at the time, this newer firmware locks down the bootloader to try and prevent tampering of the modem.

Fortunately by the hard work of "Water" at underground-modems, he created an exploit to unlock the console, allowing you to rollback to the previous, non-locked out firmware thus allowing you to then flash Haxorware onto it.

Download it and "SoftJTag", it includes a instruction PDF which is pretty straight forward on how to use it. When you boot the modem, run the exploit and you now have acces to the console.

Now you use to included SoftJTag program to write older "E08C007-BOOTLOADER-2.1.6d.bin" bootloader to the modem.

Now this time when you reboot the modem, you have can successfully hit "p" to go the IP settings menu

Enter '1', '2', or 'p' within 2 seconds or take default...

Quickly hit "p" (if you missed it, reboot, run the exploit and try again) and enter the following:

Board IP Address [0.0.0.0]: 192.168.100.1 (press enter)
Board IP Mask [255.255.255.0]: (leave blank)
Board IP Gateway [0.0.0.0]: (leave blank press enter)
Board MAC Address [00:10:18:ff:ff:ff]: (leave blank press enter)
Internal/External phy? (i/e)[i] (leave blank press enter)

This will take you to the Main Menu

Main Menu:
==========
  d) Download and save to flash
  g) Download and run from RAM
  c) Store icePROM bootloader to flash
  b) Boot from flash
  e) Erase flash sector
  m) Set mode
  s) Store bootloader parameters to flash
  i) Re-init ethernet
  r) Read memory
  w) Write memory

Select "d) Download and save to flash"

Board TFTP Server IP Address [0.0.0.0]: 192.168.100.10  
Enter TFTP filename []: haxorware11rev39-DIAG.bin 

Where 192.168.100.10 is the The static IP address that we assigned to the computer running the TFTP server earlier and haxorware11rev39-DIAG.bin is the name of the firmware image that we selected with the TFTP server. (Note if you just want the older stock Ambit 250 Firmware, you should set that up on your TFTP server and enter that instead.)

Free store: a0500000
Starting TFTP of haxorware11rev39-DIAG.bin from 192.168.100.10
Getting haxorware11rev39-DIAG.bin using octet mode
................................................................................
[..]
.................................................................
Tftp complete
Received 2097152 bytes
HCS failed on Image 0 Program Header

It will now start downloading it, once it's done, select to store it to the memory on he modem.

Image does not have standard header.  Do you wish to store it? [n] y  (press enter)
Programming 2097152 bytes
Enter sector to start store: 0   (type 0 press enter)
Store parameters to flash ? [n]   (press enter)

Done!
Reboot and now you can go to 192.168.100.1 (default address) and access the Haxorware web UI.

Haxorware Web UI

Note, make sure you read up a bit about Haxorware and turn off updating of the firmware, otherwise if you connect the modem to the Virgin cable network, it will TFTP download the "newer" (locked) firmware from Virgin and you will be back to the start, with a locked out console and no Haxorware!

References/Credits