(原创) 逆向工程(reverse engineering)实践1-破解motorola advisor 寻呼机密码
是逆向工程(reverseengineering)??-破解motorola advisor 寻呼机密码一直有个愿望,当年公司为了那些寻呼机改频入网,不得不破解寻呼机的密码。记得一共买了2,3台解密器。好像2000多一台。那时也不太明白单片机,只记得很神奇。当时就想,啥时我能破这个。。。。。。
时光斗转,记得07年,无意之中又想起了这件事。当时没有逻辑分析仪。手头只有个fpga的开发板,于是又尝试用altera的fpga的ram去记录数据。可惜失败了。那点ram太少了。当时的记录在此http://www.ourdev.cn/bbs/bbs_content.jsp?bbs_sn=745630&bbs_page_no=1&search_mode=3&search_text=sdmmqy&bbs_id=9999
这件事不得不搁下了。又过了3年。。。。。。机会终于来了。先是买了网友的魏坤的第二版示波器,随后又买了网友的saleae的la。又刚刚用mega48做了个NRf24Z1的项目。感觉都准备好了,那就开始吧。
手上有motorola的寻呼机图纸和service manual。又搜到1片外文。那就先贴上,省的解释了。
这个u2含有256 byte的eeprom,他和mcu通过spi通信。可惜u2不仅仅是eeprom,它还有晶振和按键检测和初步解码功能。我觉得更像单片机。摩托罗拉寻呼机在写码编程时可以设置密码, 如果机内有密码,寻呼机再次读写码时,寻呼机会要求输入密码,如不输入或输入密码错误,电脑显示屏会发出警告“密码错误,你还有7次机会”, 如果连续7次将密码输错,BP机将锁死, 寻呼机功能将完全丧失,这时只能更换码片。
motorola u 9 How to decode Motorola pager passwords
Posted by Jack Ryan - 2009/04/06 07:40
_____________________________________
Here's a stab at trying to explain how to decode encrypted Motorola Pager Passwords. This has been verified to work with pretty much all motorola pagers on the market, including 1.5 and 2-way pagers. First.. plaintext pager passwords can only contain A-Z, 0-9 and (space)for characters. The plaintext passwords are always encoded as 10 characters even if there are less than 10 characters in the plaintext password. Basically there is some sort of lookup table
contained in the PPS (pager programming software) which either encodes or decodes the password. The lookup table is included further down in this posting. Conveniently, when a pager's programming is read using the PPS, all the passwords come out (assuming you know the pager's download password if it has one) in the encoded form. You can either sniff the passwords out of the programming read as it's happening or you can save the freshly read pager configuration to a file and then import it into a hex editor as a Motorola S19 file. A favorite program of mine for hex editing, which will import Motorola S19 files, is called Hex Workshop . Finding the passwords is easy. If you are using Hex Workshop, you simply import the saved file (codeplug) and search for a string of letters and numbers. You will see
them looking something like this NEJF1K54H5 or something like OJ Y2VPSQV (note the space in the second
example). The two encoded passwords listed above decode to ADVELITERF and N500OTAPAS . Passwords are located in different places for different pager models but in the Advisor Golds and Elites the OTA and Download passwords are stored near the top of the file with the Secure password stored towards the lower middle of the file.Beware of the first three characters in the string because they are not related. The best thing to do is find the end of
the first string of A-Z and 0-9 characters and count backwards by 20. Grab the next 10 characters forward and decode them.. this is the OTA password. grab the next 10 characters and decode them.. this is the Download password.
Further down standing out like a sore thumb is the Secure password. Decode it and you'll have it. It'd be nice if you post what you find. Passwords have their place but many people are legitimately trying to gain access to pagers which they own and don't have the passwords. By the way, even if there is no download password set, the last known download password is still encoded. It's a matter of a bit set in the pager to tell it to use the password or not. I'm sure
there's a lot that I'm not explaining properly, and I'm kind of in a hurry so feel free to email me with questions at jackryan...@yahoo.com . I can also decode passwords for you if you have the stored codeplug file and can send it to me. Now for the decoding table.. How to use it is this.. there will be 11 columns. the first column is the decoded letter or number of the particular encoded character you are trying to find. The next 10 columns are the encoded characters
that you must search and match depending on what position in the encoded password you are trying to find. An example is included below for clarity. D 0 1 2 3 4 5 6 7 8 9 D 0 1 2 3 4 5 6 7 8 9 A N 1 O B 6 C P 2 Q D S F 8 G T 4
U H 9 I V B 6 C P 2 Q D 7 E R 3 T 4 U H 9 I V 5 W J 0 C P 2 Q D 7 E R 3 S F U H 9 I V 5 W J 0 K X D 7 E R 3 S F
8 G T 4 V 5 W J 0 K X Y L Z E R 3 S F 8 G T 4 U H W J 0 K X Y L Z M A F 8 G T 4 U H 9 I V 5 X Y L Z M A N 1
O B G T 4 U H 9 I V 5 W J Y L Z M A N 1 O B 6 C H 9 I V 5 W J 0 K X Z M A N 1 O B 6 C P 2 I V 5 W J 0 K X Y L
0 K X Y L Z M A N 1 J 0 K X Y L Z M A N 1 O B 6 C P 2 Q D 7 E K X Y L Z M A N 1 O 2 Q D 7 E R 3 S F 8 G L
Z M A N 1 O B 6 C P 3 S F 8 G T 4 U H 9 I M A N 1 O B 6 C P 2 Q 4 U H 9 I V 5 W J 0 K N 1 O B 6 C P 2 Q D 7 5
W J 0 K X Y L Z M O B 6 C P 2 Q D 7 E R 6 C P 2 Q D 7 E R 3 S P 2 Q D 7 E R 3 S F 8 7 E R 3 S F 8 G T 4 U Q
D 7 E R 3 S F 8 G T 8 G T 4 U H 9 I V 5 W R 3 S F 8 G T 4 U H 9 9 I V 5 W J 0 K X Y Y L Z M A N 1 O B 6 Lets say for example we have 4IS28U5OB6 . The first character in the the string is a 4 , so search down the 0 column until you find 4 and look at the D column for that row. It comes out to be a T so your first decoded character is a T . Next is I .. search the 1 column for I which decodes to a H . Next is S , search 2 column to find E . Search 3 column for 2 to find B .. search 4 column for 8 to find E .. and so on and so on. The decoded string comes out to
THEBEST which is a very common PageNet password. Any trailing spaces get dropped so the final password is THEBEST . It also turns out that the PPS software stores it's service center passwords the same way. It takes a bit of searching through the PPS execuatable files which support service center but it's the exact same thing. They usually stand out like a sore thumb. I hope this helps some people figure out what the passwords are that they need. Also be careful of O (Oh) and 0 (zero) as they look very similar. Enjoy! Jack
============================================================================
motorola u 9 How to decode Motorola pager passwords
Posted by Jack Ryan - 2009/04/06 07:40
_____________________________________
Question? This system will only work if you know the pager password? I tried a Motorola Express Xtra from our store stock, I already know the password, just to try if I can find it in Hex Workshop.
Thanks How can I sniff the password out? In example two, you didn't actually read the pager. The pager wont allow a read till you enter the right password. That's where this system falls short. Knowning how to decode the passwords only helps if you can read the pager or have a codeplug of that pager stored to disk. Jack P.S. sorry I haven't been
around. Work got busy again.
============================================================================
FireBoard
这篇老外的文章很有价值,
1) 寻呼机的密码密文就是10个字母,不管你是输入1个还是10个字母。
2) 寻呼机在用编码器读的时候,这些密码会被mcu(顾问机的u1)读的。当然是加密的码了。
3) 这哥们做了个look-up-table来对应密文和原文。一共37*10=370个。就是说他至少试了370次。执着精神令我汗颜。
4) 但是他也说了,只有知道了codeplug的内容才能得到原文。可咋能得到eeprom、的内容他没写。
5)
基本的背景知识就知道这么多了,该如何解这个密码呢?
一. 串口会把密码发给pc,让pc上的软件去比较么?
如果这样,就容易了。用la可以轻松地sniff到密文,然后查lookuptable就行了。但是motorola的工程师不会这么傻。用saleae观察,只发回了寻呼机的串号和inventory number。呵呵
二. 在读寻呼机时,U1肯定读了u2的密文了。那就查spi通信吧。
写着99z16的就是mcu,右边的是u2,98j97。用0.1的漆包线焊spi的连线,接到la的测试夹上。从网上找到pps(pager programming software)是dos版本,没办法。当年没xp。不过用cmd命令可以运行,就是有时显示超时,多试几次就可以了。实际上开始的时候,我找了张以前的win98启动盘。在win98的dos没问题的。
Saleae最多能取1000m个samples,现在容量不是问题,可当我真的打开这些数据时,发现我的脑子不够用了。看来需要选个观察点。既然mcu读u2是发生在pc读寻呼机之后,那就只观察按了pps的f3 read a pager之后。当我按saleae的start后,马上按pps的f3.这回数据好多了。
顺便说1句,当时觉得8位的la太够用了。其实spi就4条,usart有2条。看来下次买个16位的。呵呵。显然,图上2的时候pps给pager发读的信号了。Zoom in可以看清楚是43,50,50,90.协议分析也很方便啊。3的时候,pager返回0x50,表示有密码。0x4e无密码,0x44是disabledpager,0x42是unprogrammed pager。随后pager返回串号和inventory #。随后的数据不知干什么的。
看来3之前的spi是关键数据了。那就Zoom in看看吧。
待续。。。。。。。。。
图在附件里啊点击此处下载 ourdev_558505.doc(文件大小:17.98M) (原文件名:逆向工程.doc) 附件?! 回复【楼主位】sdmmqy
-----------------------------------------------------------------------
From pager00 eo,
From pc
From pager11 00,10 00,c0 00,
From pc E2
From pager11 00,10 00,e5 00,
From pc 22,
From pager11 01,10 00,ea 00,
From pc 41, A
From pager11 01,10 00,eb 00,
From pc 4c, L
From pager11 01,10 00,ec 00,
From pc 5a, Z
From pager11 01,10 00,ed 00,
rom pc 4d, M
From pager11 01,10 00,ee 00,
From pc 41, A
From pager11 01,10 00,ef 00,
From pc 4E, N
From pager11 01,10 00,f0 00,
From pc 31, 1
From pager11 01,10 00,f1 00,
From pc 4f, O
From pager11 01,10 00,f2 00,
From pc 42, B
From pager11 01,10 00,f3 00,
From pc 36, 6
Pc从pager读了12个bytes,按照Ryan的文章,其中10个为密码。哪10个是呢?前2个不是0-9,a-z和space 的范围内了。那就是后10个了。查那个lookuptable,和上面的ascii字母对应的原文是m和后面九个空格。确实,我输入的密码就是m。看来这就是密文了。如果在用编码器读寻呼机的时候用单片机读取spi数据,或者用单片机直接读这些地址的数据(C0,E5,EA….)就可以得到密文,再编个查表函数,应该可以得到密码原文了。截取和破译这个密码就这么简单。
我可不可以直接写个数据到u2,屏蔽密码使能呢?
待续
点击此处下载 ourdev_558593.doc(文件大小:18.32M) (原文件名:逆向工程.doc) 请在此更新待续,
看到你的blog上有后续内容,
可惜所有图片都打不开,
只有这里能打开图片,
但又内容没更新。。。 回复【3楼】eefluo
-----------------------------------------------------------------------
点击此处下载 ourdev_575343.doc(文件大小:36.02M) (原文件名:逆向工程.doc)
更新了。呵呵 你好朋友,对这个很感兴趣,有一些东西无法理解,还望得到你的帮助。
页:
[1]