Hello,
I've recently had a hot potato dropped in my lap and I hope someone here can help me.
I work for a small company that built cable modems into electrical meters for a customer several years ago. Now the customer wants to do BPI+ with these modems and the original team didn't create any certificates for the firmware that was developed.
I have access to the firmware images that were compiled and parts of the original source, but I have no idea how to get from there to creating a Manufacturer CVC. Are there any tools available to do this?
We were working on Broadcom BCM3349 chips.
Any help would be greatly appreciated.
Hi,
Here some mind from me as a Operator/Engineer from CMTS-Side. Only a Manufactor-CVC is not enough. For full BPI+ your Manufactor-CVC must be chained to the DOCSIS (Annex B) root-cert from CableLabs or for EuroDOCSIS (Annex A) to the root-cert of tComLabs (now known as Excentis). Then you can use only one MAC-Address for RF-Interface per Device. If you want to provide cloning MAC Address for the RF-Interface then you need an Cert-Generator for Self-Signed-Certificates. Self-Signed-Certificates must be added to the CMTS manually. Therefore you should take the same solution like JDSU:
Example from the JDSU DSAM:
No BPI: cloning MAC-Address is possible
BPI: cloning MAC-Address is possible
BPI+: cloning MAC-Address isn't possible
Then you need no Self-Signed-Cert-Generator on the Plattform.
If you have introduce BPI+ successfully you must create for every Device his own Firmware with the individuell Certificates.
Long text short result: It's a hard work.
Maybe you can take a look at http://www.haxorware.com/ This firmware is designed for the BCM3349 based on eCos. Maybe you can crossflash this image to your devices during the noisy bootloader to learn something about Certificates on cable modem.
I'm to presume you have run eCos and not VxWorks anymore on the BCM3349. However, on both operating systems there should be a bpi menu at the non-vol section.
Please note: I'm just a Operator/Engineer at a MSO and not a developer for cable modem firmware images but i hope some hints will help you.
Last but not least: http://www.cablelabs.com/specifications/CM-SP-BPI+-C01-081104.pdf
regards,
wittmann
FYI.
Manufacture CVC is used for SSD (Secure Software Download) and has nothing to do with the embedded certificate in the modem that is chained to the DOCSIS Root Cert.
Most vendors implement the embedded digital certificate into the modem during manufacturing. This certificate is used for PKI authentication for BPI+ with the Root-Cert on the CMTS. Most manufactures will have their certificate chained to the Root-Cert on the CMTS. Again, the CVC (Code Validation Certificate) is used for Secure Software Download.
Self-Signed Certificates do NOT need to be loaded into the CMTS anymore, all you have to do is change the CMTS to allow self-signed Certificates or run the modem in DOCSIS 1.0 modem with traditional BPI, then the embedded certificate is NOT required.
Hope this helps.
Regards,
Will
@Will
Ok your right, blame by me. Manufactor CVC is for SSD. My issue was i focused the topic BPI+ and authorization CM between CMTS because many manufactors for cable modme simulators implemented in the past the feature to cloning MAC Addresses and this will not work anymore on CMTS where BPI+ is set mandatory. I mixing up the Manufactor CVC with the cable modem certifcate.
regards,
wittmann
Could anybody shed some light on how to actually verify the BPI+ is working correctly ? What I mean by that is that I've noticed that it's possible to get modems online(pt) with no Docsis root certificate on the CMTS ?!?!
see bottom