I verified this myself. Set up a TFTP server on an interface with the same IP address as the headend. Then as you reboot the modem, be constantly pinging the modem's HFC IP address through the spoofed interface you created. The cable modem, when it comes up, will then try to TFTP its config file from YOUR machine and not the headend, because you have injected your MAC address into its ARP table for that IP address.

The encryption on the configuration file wasn't a big deal either, because you could get most of the needed information via SNMP IIRC. Most ISPs now disable SNMP and have bots scanning for connections where the actual speed doesn't match the account information.

Score:3, Informative