Named for two actual black cats, the Blackcat Programmer is a device that can be used to reprogram the Motorola SB5100 cable modem. Blackcat is a cost-effective tool that allows the end user to take full control of the cable modem and perform tasks including installing unofficial firmware modifications, changing the modem's startup procedures, and changing the Media Access Control (MAC) address.
When it was first released, the model SB5100 cabl modem was not hackable. When hacking the firmware in older SURFboard modems we could us a communication port inside the modem to halt the startup sequence and boot from the Ethernet port instead of the flash EEPROM (or boot block). The real flaw in the older modems was not in the concealed port but in the firmware support for it, which was removed in the SB5100. There are two ways to initially program a flash chip for mass production. The first way is to use a series of "gang programmers" to program many devices externally before they are soldered onto the PCB. The second way is to solder them on and then use the board itself as the programmer. Since the flash is unique on each SB5100 (mostly due to the unique MAC address and certification data). Motorola most likely used the second method at the factory.
To program its millions of modems, Motorola uses the Enhanced JTAG (E-JTAG) specification. The E-JTAG protocol can be used to debug code, execute code, send and receive data, modify CPU registers, and perform many other low-level functions. A 10-pin E-JTAG interface port is located in the middle of the PCB on an SB5100. Only five of the pins are used for receiving and transmitting data; the remaining five are used as grounds.
Build a Blackcat
The first step in developing Blackcat was to create a working prototype of an interface cable that would connect the modem to a PC. You could use the parallel port because it could communicate with the E-JTAG port through just a single data buffer integrated circuit, whereas a serial port connection would have required the use of a microcontroller, which would complicate the design. The advantage of using the parallel port was that our prototype was cheap and easy to build. The disadvantage is that the data speed is limited to the data rate of the parallel port, which is significantly slower than that of a high-speed serial port, such as a USB of a FireWire connection.
When it was first released, the model SB5100 cabl modem was not hackable. When hacking the firmware in older SURFboard modems we could us a communication port inside the modem to halt the startup sequence and boot from the Ethernet port instead of the flash EEPROM (or boot block). The real flaw in the older modems was not in the concealed port but in the firmware support for it, which was removed in the SB5100. There are two ways to initially program a flash chip for mass production. The first way is to use a series of "gang programmers" to program many devices externally before they are soldered onto the PCB. The second way is to solder them on and then use the board itself as the programmer. Since the flash is unique on each SB5100 (mostly due to the unique MAC address and certification data). Motorola most likely used the second method at the factory.
To program its millions of modems, Motorola uses the Enhanced JTAG (E-JTAG) specification. The E-JTAG protocol can be used to debug code, execute code, send and receive data, modify CPU registers, and perform many other low-level functions. A 10-pin E-JTAG interface port is located in the middle of the PCB on an SB5100. Only five of the pins are used for receiving and transmitting data; the remaining five are used as grounds.
Build a Blackcat
The first step in developing Blackcat was to create a working prototype of an interface cable that would connect the modem to a PC. You could use the parallel port because it could communicate with the E-JTAG port through just a single data buffer integrated circuit, whereas a serial port connection would have required the use of a microcontroller, which would complicate the design. The advantage of using the parallel port was that our prototype was cheap and easy to build. The disadvantage is that the data speed is limited to the data rate of the parallel port, which is significantly slower than that of a high-speed serial port, such as a USB of a FireWire connection.
The Blackcat Programmer Schematic |
The SB5100 cable modem uses a 10-pin Test Access Port (TAP) to communicate with external devices using the E-JTAG protocol, a generic JTAG interfacing cable will not work. With the right parts, you may be able to build your own.