Full Report
The author had an old cable modem sitting in their closet. While browsing some forums, they learned that the device had a built in spectrum analyzer for diagnostics. So, they wondered, if a cable modem and TV tuner do the same thing, then can this be turned into an SDR? Let's find out! To initially gain access, they setup a UART console. This gave them a wealth of information, such as the OS and processor being used. However, upon booting the serial console is disabled. The only interesting thing is going into the bootloader prompt to load a new image or read/write to memory locations directly. The bootloader is a good target but cannot be done blindly. Upon looking at the board, they learned that all persistent storage was on a single SPI flash chip. Can we dump this? The winbond 25Q32JV yields a datasheet with pinouts and is supported by flashrom! We have a problem though: dumping a SPI flash chip requires power. If we give the board power, the chip will be used, preventing us from reading out the data we want. The solution? Remove the VCC board by carefully lifting its pin from the pad. The author also did this with the chip select (CS) line, since it's common for it to be wired to VCC as always on. To connect to the chip, the author wires up to all of the pins on the chip. Additionally, they put a jumper wire onto the pads without legs and connect the leg to the jumper whenever they want to boot normally. Now, by using flashrom and a Raspberry Pi, the image can be completely dumped. They even have the commands they ran! What's in the image? The author could see some credentials but that was at. Luckily, the tool bcm2-utils has the capability to dump, parse and modify configuration files from Broadcom cable modems. They modify the images configuration to turn on the serial console and have a simple telnet password. Neat! They boot back into the device with serial and are greeted with a nice eCos console to pop a root shell. While there, they couldn't find any commands to turn on the spectrum analyzer so they started reversing the code of the OS in Ghidra. So many interesting quirks from reversing! Like, the call command can be used to call any code at any location. While reversing, they came across the code to enable the bandpower measurement for a given frequency range in the eCos console. The code indicated that the analyzer just changed a few memory mapped registers, indicating that it was just at a slightly higher power. When they read this memory location, they as raw IQ data! They wrote some magic scripts to trigger the code that was mentioned above. They put the registers to look at particular ranges, making this into an SDR. Parsing FM radio signals from possible via some code they wrote. Mission accomplished! Overall, awesome article on reverse engineering. Some of the tricks, such as lifting the legs off the chip. Good write up!
Analysis Summary
# Research: Reverse engineering my cable modem and turning it into an SDR (cm-sdr)
## Metadata
- **Authors:** stdw (GitHub handle)
- **Institution:** Independent Research / Open Source Community
- **Publication:** GitHub Pages Project Documentation
- **Date:** Circa 2023 (Latest firmware/build refs 2015-2023)
## Abstract
The research documents the hardware exploitation and software reverse engineering of a Motorola MB7220 cable modem to repurpose its internal diagnostic spectrum analyzer as a functional Software Defined Radio (SDR). By gaining serial access, dumping and patching SPI flash memory, and reverse engineering the eCos-based operating system in Ghidra, the author successfully tapped into raw IQ (In-phase and Quadrature) data from the Broadcom BCM3383 chip. The project results in the ability to capture and demodulate FM radio signals directly through the modem’s hardware.
## Research Objective
The primary objective was to determine if a consumer cable modem, which shares fundamental architecture with digital TV tuners (QAM demodulation), could be modified to function as a general-purpose SDR.
## Methodology
### Approach
1. **Hardware Reconnaissance:** Identification of UART headers and SPI flash chips.
2. **Flash Extraction:** Physical modification of the PCB (lifting pins) to dump firmware without interference from the SoC.
3. **Firmware Analysis:** Usage of `bcm2-utils` to modify configuration files to enable disabled services (Telnet/Serial console).
4. **Static/Dynamic Analysis:** Reverse engineering the OS binary (eCos) using Ghidra to identify hardware-register-level commands for spectrum analysis.
5. **Implementation:** Developing custom scripts to trigger memory-mapped register reads to stream raw IQ data.
### Dataset/Environment
- **Target Hardware:** Motorola MB7220 Cable Modem.
- **System on Chip (SoC):** Broadcom BCM3383D.
- **Operating System:** eCos (Real-time OS common in embedded devices).
### Tools & Technologies
- **Hardware:** Raspberry Pi (as a programmer/serial interface), Multimeter, Soldering Iron.
- **Software:** `flashrom`, `bcm2-utils`, `Ghidra`, `cu` (serial communication), Python (for signal processing).
## Key Findings
### Primary Results
1. **Hidden Latent Capability:** The Broadcom BCM3383 contains a hidden spectrum analyzer intended for line diagnostics that can be coerced into providing raw RF data.
2. **Memory-Mapped IQ Access:** Raw IQ data is accessible by writing to specific registers that trigger bandpower measurements and reading the resulting memory buffer.
3. **Successful Demodulation:** The device, while constrained by its original design, is capable of receiving and demodulating FM radio (88-108 MHz) and narrowband FM (154 MHz).
### Supporting Evidence
- Successful capture of FM radio stations with discernible stereo channels.
- Successful audio output of local fire department transmissions using custom demodulation scripts.
### Novel Contributions
- Documentation of a specific "hidden" SDR capability in ubiquitous cable modem hardware.
- A method for bypassing bootloader-locked serial consoles via SPI flash configuration patching.
## Technical Details
The core of the "SDR" functionality lies in the discovery that the spectrum analyzer function operates by populating a memory buffer with raw samples at a high sample rate. The researcher discovered the `call` command in the eCos shell, which allows executing any memory address. By identifying the function responsible for "bandpower measurement," the researcher could manually trigger samples. To handle the high data rate (approx. 14.8 MHz), the researcher implemented threading and semaphores within the modem’s OS to pack, downsample (by factor of 32), and stream data over the network via Telnet.
## Practical Implications
### For Security Practitioners
- **Hardware Trust:** Demonstrates that legacy "closet" hardware contains powerful RF capabilities that can be repurposed for surveillance or unauthorized signal interception if compromised.
- **Persistence:** Shows how modifying SPI flash can enable permanent backdoors (Telnet/Serial) that survive standard factory resets.
### For Defenders
- **Configuration Hardening:** Highlights the need for manufacturers to disable debug "call" commands in production shells, as they allow arbitrary code execution.
### For Researchers
- **Hardware Reuse:** Provides a blueprint for converting "e-waste" into functional scientific instruments.
## Limitations
- **Latency:** Inherent delay in the OS's "measurement done" flag leads to approximately 12% dropped data during streaming.
- **Bandwidth:** The ADC clock divider was not found, requiring CPU-intensive software downsampling that raises the noise floor.
- **RF Range:** Limited to the tuner's hardware filters designed for cable frequencies.
## Comparison to Prior Work
While projects like RTL-SDR utilize cheap DVB-T dongles, this research applies the same logic to **DOCSIS** hardware, which is significantly more complex and locked down. It bridges the gap between simple USB-peripheral exploitation and full-on embedded system reverse engineering.
## Real-world Applications
- **Low-cost RF Monitoring:** Repurposing discarded modems for localized signal monitoring (FM, Emergency Services).
- **Embedded Systems Education:** A case study in end-to-end reverse engineering (Hardware -> Firmware -> Software -> RF).
## Future Work
- Identification of the hardware clock divider register to reduce ADC sample rates at the source.
- Implementation of an interrupt-driven capture system to eliminate the 12% data loss caused by polling loops.
- Developing a specialized driver to make the modem compatible with standard SDR software (e.g., SDR# or GNU Radio).
## References
- [stdw/cm-sdr GitHub Repository](https://github.com/stdw/cm-sdr)
- [Broadcom BCM2 Utilities](https://github.com/v8u/bcm2-utils)
- [flashrom Project](https://flashrom.org/)