Hacker News new | past | comments | ask | show | jobs | submit login
How a cable modem works (c. 2002) (usr.com)
84 points by jqcoffey on July 31, 2022 | hide | past | favorite | 23 comments



> That 6 MHz is used to encode MPEG-2 frames containing video, color, and audio information that your cable box or TV decodes into picture and sound. If you graphed a single channel provided by the cable operator, it would look similar to Figure 2-2.

> A DOCSIS channel can be graphed in the same fashion; however, instead of video, color, and audio information inside the MPEG-2 frames, it contains a data stream that represents computer information. Due to the "spectral shaping" of a data signal, there are no video or audio signals present, and the graph looks like Figure 2-3.

this seems wrong. i think figure 2-2 is an analog ntsc video channel and figure 2-3 is a digital mpeg-2 or docsis over mpeg-2 channel. both of the digital channels should have the same spectral envelope.

interesting that they put mpeg-2 headers on the data frames, probably "system" frames and done so for compatibility with existing headend and stb equipment.


It is incorrect. As you state, a video/audio channel and a DOCSIS channel would look the same on a spectrum analyzer.

Here's a sweep of all the channels (from 80 to 750 MHz) on my Comcast system. This was taken back in 2014, and there were still three NTSC channels (two of which were just a black frame and silence).

https://www.w6rz.net/span.png

A zoom of the last channel at 729 MHz.

https://www.w6rz.net/last.png

MPEG-2 Transport Streams are used for DOCSIS because it's baked into the QAM specification. It's built around 188 byte packets that start with 0x47.

https://wagtail-prod-storage.s3.amazonaws.com/documents/ANSI...


Notice that the introduction section of the document is titled "Information for End Users, Customer Support Technicians, Field Engineers, and Network System Administrators Introduction"

It's hard to imagine that just twenty years ago, we treated users far less like idiots, and gave them plenty of documentation even if they wouldn't read or understand it all.


I get what you're saying, but 20 years ago a larger percentage of end users were computer-literate than today.


> All data that is present on the downstream is encapsulated into MPEG-2 frames.

In other words, “you’re now watching The Internet Channel(tm)”


Only slightly more ridiculous than the ADSL encapsulation stack.


Does anyone remember early cable modems allowing viewing other computers? What allowed that to happen?

I didn't know enough about networking at the time, but I recall seeing this at friends houses in maybe the late 90's. You could go into "Networking" in Windows, and see basically all the PCs on the street/neighborhood. I assume this was with the PC directly connected (no router) and maybe using WINS, but I'd be curious if there's more details behind why this could even happen. Did this also mean you'd be able to sniff other people's network traffic?


IIUC, old cable modem networks were all one simple circuit, such that there was no unicast traffic. Much how Ethernet hubs used to work… everyone who transmits would be communicating with everyone else’s cable modems on the same node, not just the gateway. So it was trivially easy to spy on others’ traffic, and if you plugged your computer straight into the cable modem (and didn’t use a router of your own), it was pretty much as if you were on a LAN with everyone else on the same node (basically your whole neighborhood.)

In the beginning of cable modem rollout, consumer routers were not yet common either, so most people were plugging straight into their modem. Cable companies encouraged this, and would charge for additional cable modems if you wanted to use more than one computer.


You don’t need a hub; if all the computers are on one LAN they can see each other, that’s the whole idea. The difference with now is that back then you’d have one computer directly connected to the internet, while now you have a router connecting your home network with the internet using NAT.


What I mean is that back then, you were on the same network as everyone else on your _block_, not just your household. You couldn't send packets just to your ISP's gateway, due to the nature of how the coax cable was wired, you're sending packets to everyone else connected to the same ISP node. (Ethernet as a protocol is designed to ignore unicast packets that are not addressed to your MAC address, which is why this works just fine.)

You couldn't connect a simple hub with multiple compuers to your cable modem back then either, IIRC because your MAC address had to be registered to their gateway, and it didn't really tolerate having multiple MAC addresses on the same cable modem. Which is why consumer routers started to get popular, because it allowed you to "share" your cable modem connection to multiple machines in the same home.

Edit: 1000100_1000101 explains the physical setup better than me: https://news.ycombinator.com/item?id=32302361


Essentially you were linked into badly managed network that inter-routed clients on the head end side, without isolating clients. Often with ethernet emulation involved if not straight ethernet going on.

Essentially, routing done badly by ISP.


Not quite. It was ISP incompetence (or malice, who knows), but not due to routing. Everyone in your neighbourhood was on branches off of the same string of coax. I think a CMTS (Cable Modem Termination System... a box run by your ISP send you your SYNC, MAP, etc.) headend could be like 20 miles of coax away. Anybody on that 20 miles of coax, assigned to the same channel, would share routing... ie: send down this cable on this channel's frequency.

Each cable modem knew which devices were attached to them (IP and MAC). A dumb ISP would limit you to one MAC on the CM, even though it made no difference to them. Perhaps trying to upsell more connections. Everyone just got routers instead. The CM receives packets from the CMTS for everyone on your 20 mile stretch of cable. It needs to decode them to know who they're for, where one ends and where a new packet starts. An option, configured by the ISP and downloaded as you connect to the network, would tell your modem to either discard all traffic that didn't belong to a known device on your local subnet, or just spew absolutely everything out on your local ethernet. Many ISPs configured their modems to spew everything. Not only was this insecure, most PCs didn't handle all the ethernet interrupts gracefully either, and it could grind your PC to a halt.

CMs also supported encryption, optionally, at the discretion of the ISP (the "Baseline Privacy" you see in the article). Hardware assisted encryption was just rolling out, and only on some CMs, so many ISPs would have this off to improve throughput. DES or 3DES, and possibly another option was available at the time. Your CM and the CMTS would negotiate keys, rotate them with fresh ones every now and then (configurable duration). With this in place, your modem wouldn't be able to decode your 20 miles of neighbours traffic. Your data was secure, at least to the cable office, which could act as nefarious as they chose (why end to end encryption is ideal).

Traffic on another channel would never be decoded (unless the CMTS told your CM to switch channels, it could actively migrate you to optimize the network, shunt you off a channel whose hardware was about to be replaced, then move you back all seamlessly... there would be slight hiccup while it re-did ranging, etc).

Source: I used to write CM firmware for Docsis 2.0 modems in the late 90s.


Ahhh, the combination of options that led to CMTS allowing client->CMTS->client connection is what I alluded to with "ethernet emulation" (I bet it also made sense for some setups). Great to see some more detail.

BTW, I seem to recall that at least in early 2000s it was kinda popular to hack TFTP servers providing CM configuration files, to somehow change speeds available - was that really doable, or did retelling mangle the details?


TLDR: I don't know. :)

The configuration was just a file. The file format was standardized to allow any modem to work I believe, so in theory someone could replace the configuration file without much effort. The ISP would know the CM MAC, possibly another identifier (it's been a while, I don't recall everything), to know what services/speeds to allow for a particular customer, and know which config to send them. If the ISP just make the filename for a customer the CM's MAC, it would be easy to replace for just one user. If it looked up which configuration to supply a customer from a database, you'd need to tweak that. As the configuration selection gets more complex, you might just get hackers replacing a config shared by hundreds or thousands of customers... the massive uptick in traffic that would cause would likely cause trouble. No idea how quickly they'd find the replaced config, but if it was affecting everyone on the same plan, I imagine they'd clue in pretty quick.

I'm not aware of how people abused the system or how the ISP configuration side was generally done, but it sounds plausible. What I don't recall if is the downstream bandwidth is actually listed in the CM config, since only the CMTS needs to know the limit on what it can send, or what upstream bandwidth to allow. A CM can request to download whatever it wants, but the CMTS will throttle your downstream and upstream bandwidth however it wants. If it's in the config, and if the CMTS reads and uses the same config, then sure.

Even if they were separate configs, and the CMTS config was non-standard, people may also just just copied the higher-end CMTS config over top of the lower-end one. Who knows.

But yeah, if you did it in a way that affected everyone, you'd probably cause enough trouble to get noticed pretty quickly.


When I moved to Santa Monica (Los Angeles) in January 2000 I made many text files on neighbor Mac desktops explaining how having sharing turned made their private files available to everyone in the 'hood via their cable modem.


I do! It was before they started blocking NetBIOS over TCP/IP.


I do recall this. There were so many insane networking issues that cropped up in the early days of "always-on" internet.


You also used to be able to plug in any standard docsis cable modem, change DNS, and you'd have free internet.


I was surprised to see USR still exists, and they even make modems! Doesn’t seem like they’ve done much of any innovation, and now they’re part of some weird IT corp that I can barely understand what they even do. Who makes these websites for enterprise customers? “We sell solutions for your problems”. Ok but what do you actually do?


I didn't think it would combine the downstream cable video as well as "data that is decoded and presented as information available for computer usage (i.e., the Internet). (whatever that means)" into mpeg2 frames.

I was under the impression that internet downstream and upstream are simply operating on different multiple QAM channels in different distinct frequency bands.


essentially yes - the video channels and the docsis channels are distinct - and your street or close neighborhood may share the same docsis (and on-demand TV) while you city might share the same broadcast channels.

The document refers to "qam-lock" IMHO wrongly (I was a cable protocol/encryption wrangler in a previous life) - "qam-lock" is more a matter of tuning to a channel, sampling it to extract the signal (this means extracting a clock from it) then running the signal through enough of the error correction and framing logic so that you can extract the transport stream packets

That's "qam-lock" - at this point you still don't know what's in the stream - you could just look for 0x1ffe PIDs and decide you have DOCSIS - video qams will carry PAT tables in PID 0 which will point to PMTs (which can be in pid 0x1ffe) which in turn point to qams and PIDs containing video/audio/CA/etc (details vary greatly between implementations). Which is a long way of saying "just looking for PID 0x1ffe may not be enough"


I'm surprised this hasn't been mentioned yet - https://www.scribd.com/document/326040021/Defcon-16-Coax-Thi...

It was a big deal back 10 years ago or so. I don't think it'd work nowadays.


https://news.ycombinator.com/item?id=31358855#31362310

MoCA: run your ethernet over the cable tv coax in your house




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: