Building a Fake ISP
Nine years of the CypherCon ISP Hacking Ward
It's run for nine years. This is the story of how it actually gets built, including the stupid, undocumented, soul-grinding parts nobody writes down. The thesis underneath all of it has never moved. Every layer you trust was built by someone who was tired and improvising, and the wire was always a target. The ward is that lesson made out of coax and glass and 3.5 GHz so you can put your hands on it.

The nine-year climb
There's a spine hiding in that list. The fiber gear in year 9 isn't carrier-grade, it's cheap, open, white-label hardware, and that was on purpose. It wasn't an aesthetic choice. It was the lesson of years 6 and 7. Two years of locked, expensive, uncooperative carrier equipment taught us that a hack lab wants open and breakable, not sealed and certified. We never decided "cheap and open beats real and locked" as a slogan. We got there by losing two years to the alternative. The failures aren't footnotes to the build. They're the reason it looks the way it does.
The DOCSIS headend
Walk up and it's a cable ISP. There's a CMTS, there are cable modems, you plug into coax, and either you range and get online or you don't, because your modem needs new firmware first and that's the game. The familiarity is the trap. The point is to drop a seasoned network person below the layer they live at, into the RF and boot plane they've never had to think about.

One byte
Unlocking it was a twelve-hour reverse-engineering descent through ELF RE, VxWorks binary patching, squashfs extraction, MIPS assembly, and serial hex dumps, with a startup script that cheerfully undid the patch on every reboot until I caught it. After patching the wrong byte more than once, the whole thing came down to a single flip, 0x40 to 0x00, and suddenly the full CLI and web interface were mine. One byte, half a day, total ownership. I cut a short on that particular suffering: [One Wrong Byte = Pure Chaos](https://youtube.com/shorts/09A16OT24XE).
Provisioning is a chain of silent failures
The three-headed modem
The human cost was countless hours and at least ten bricked modems along the way, every one of which I got back, because I took the identity backups first. That's the whole moral of the partition section. The discipline that felt paranoid is the only reason a bench of bricks became a bench of working modems instead of a pile of e-waste.
Twenty channels of capability, one channel of reality
GPON fiber
The hardest engineering on this side wasn't the hacking, it was the physics. Getting the optical power budget right took inline attenuation, because the ONTs came in too hot to land in spec, and there was a VLAN-transparency fight that only resolved after a full factory reset and rebuild. Fiber doesn't care about your config until the light levels are right.
Private cellular, seven months of hell
And then voice. Native VoLTE on the free phones I'd accumulated was blocked deep in the modem firmware in a way no config could fix. So, same move as everywhere else in this ward, I stopped fighting the wall and climbed a layer. Android gates VoLTE behind its own trust model, and forcing it on for a private network the phone has never heard of means getting at privileged carrier components. The wall that defined the whole fix: the phone wouldn't honor the override unless it was signed. Android won't let a random app act as a privileged carrier component, it has to be properly signed to be trusted. So the answer became a private, signed app that forced VoLTE on for my network. Once it was signed, the phone trusted it, the voice bearer came up, and the thing finally rang. The radio wanted it signed. So I signed it.
Voice, and the one that still beats me
The NOC that ties it together
The part nobody photographs
Which brings it back to that sign. The build is convincing enough, real CMTS, real fiber, real cellular, real dial tone, that we've been required to post signs telling people the entire thing is a simulation, so nobody thinks they've stumbled into something live and illegal. That sign is the thesis printed on foamcore. The only thing separating this table from a real ISP is a piece of paper that says simulation.
The actual lesson
Three walls that should have been fatal, beaten the same way every time, not by hitting them harder but by stepping one layer over from where the wall was. That's the takeaway, and it's the same instinct that makes the ward worth walking through. It teaches you that the floor you're standing on is a layer someone else built, and the interesting move is almost always one level down, or one level over, from where you were looking.
There is no secure room. There's just the next layer, and whether or not you thought to check it.