5.1 crack [DONE]

[munkustrap]

I will check the first hack Trials this evening.
hopefully I'm able to find the read out commands for the ESN. Then I'm able to verify the hack on my own.

I will Keep you updated
best regards

[munkustrap]

So as I understand it, you're considering -

- Identifying the RS232 request and reply messages between the console and the CPU for brain board ESN.
- Seeing if the returned ESN from the console is in cleartext. If not, figure out how it is encoded.
- Consider implementing an overwrite function (in firmware or some other translator) of the returned ESN and code-resident unlock codes with known functioning values.

Is that about right?

So, do you have any clues about the RS232 command and reply for ESN, or would a sniffing contributor to the project be looking for his or her own cleartext ESN in the RS232 traffic?

exactly (in firmware)!!
does anybody has the possibility to sniff the command for ESN ? maybe ist transmitted when the ESN Dialog is opened?

[bitSync]

does anybody has the possibility to sniff the command for ESN ? maybe ist transmitted when the ESN Dialog is opened?

Ralph,

Not sure what you mean by "the ESN Dialog" unless there's an ESN notice GUI I just never notice. To boot OS 5.1 I don't have to do any GUI interaction, just flip on the CPU power switch and the d8b 5.1 boots.

The Console Data cable has both COM1 and COM2 on it from the d8b CPU, so I presume you'd want to see what's on both of those at startup?. Or maybe not? Just COM1 (to/from Brain Board)?

If the RS232 comms data capture isn't too burdensome or complicated I might be able to help out. Please PM me and let me know some of the details.

[bitSync]

In the service manual I see COM1 on the Brain Board UART and COM2 on the DSP Board UART. I guess COM1 is the place to look for the ESN?

[munkustrap]

Hi
yes, the ESN it is on the COM1.
When OS5.1 has booted up, there must be a Setup Windows somewhere where you can read the ESN (I think its the one where you can add your licences).

I' try to find out the command by analysing the hex code of the brain Firmware.

actual Status:
I found the place where the ESN is read from the small chip that holds the ESN. I also know how I can overwrite that with a fixed ESN with license code (I already got one, thanks !)

I fount the Position in the Firmware where the ESN is send out. the Format on the RS232 is something like
????????????c (???... stands for the ESN) The ESN seems to be terminated with a "c".

In fact my first hack Trial is ready, I only Need to verify it somehow.

As I do not have a Mackie CPU I Need this command to read out the ESN. Without this command it is only possible to
Exchange the original asc file with the hacked one, boot up and lokk what ESN the System Shows.

[bitSync]

Hi
yes, the ESN it is on the COM1.

That simplifies things then, only one serial interface to sniff.

When OS5.1 has booted up, there must be a Setup Windows somewhere where you can read the ESN (I think its the one where you can add your licences).

Yes, you have to explicitly click on the Setup window menu selection within the OS 5.1 GUI to get to that dialog box, and yes, the ESN from the Brain Board U16 DS2401 is reflected in that dialog box. This is useful when you have a properly functioning OS 5.1 system but may not have a record of what your ESN is.

I' try to find out the command by analysing the hex code of the brain Firmware.

actual Status:
I found the place where the ESN is read from the small chip that holds the ESN. I also know how I can overwrite that with a fixed ESN with license code (I already got one, thanks !)

I fount the Position in the Firmware where the ESN is send out. the Format on the RS232 is something like
????????????c (???... stands for the ESN) The ESN seems to be terminated with a "c".

Yes, the ESN is 48 bits, so each of your 12 "?" above corresponds to a hex 4-bit nibble. I recall the "c" value termination from some older d8b RS232 discussions on this board.

In fact my first hack Trial is ready, I only Need to verify it somehow.

As I do not have a Mackie CPU I Need this command to read out the ESN. Without this command it is only possible to
Exchange the original asc file with the hacked one, boot up and lokk what ESN the System Shows.

So you're understanding is that the console is explicitly solicited for the ESN by the OS 5.1 software and that the Brain Board firmware responds to that request, not that the Brain Board asynchronously volunteers the ESN when it's ready?

I believe I have what is needed to sniff the RS232 Console Data interface for the ESN exchange, everything except for time. I might have a chance this weekend if that's not too much of a delay for you.

[munkustrap]

what about if I give you the hacked control.asc file and you try it in your CPU ? you should get the ESN that I've programmed into the Firmware. If it doesn't work you have to go back to your original control.asc. this should be at least faster then sniffing I guess.

[bitSync]

what about if I give you the hacked control.asc file and you try it in your CPU ? you should get the ESN that I've programmed into the Firmware. If it doesn't work you have to go back to your original control.asc. this should be at least faster then sniffing I guess.

Well, I can do that if you like, but I don't understand how that helps you identify the ESN request from the CPU to the Brain Board on COM1 and the Brain Board's response carrying the ESN. The ESN coming back from the console doesn't overwrite the firmware, right? I would think the ESN coming back from the console would be stored in program memory until the d8b is shut down and that the OS would use the ESN returned from U16 rather than some value that went out in the firmware. But I'm thinking you know more about this than I do.

I'll PM you with my email so you can get me your hacked control.asc and you can give me a few more details about what you want.

[bitSync]

what about if I give you the hacked control.asc file and you try it in your CPU ? you should get the ESN that I've programmed into the Firmware. If it doesn't work you have to go back to your original control.asc. this should be at least faster then sniffing I guess.

Ralph,

Sent you a PM with some contact info.

[munkustrap]

Thanks bitsync

I send you an email.

I wrote a program that converts all the hex stuff to the ADSP2181 instructions, so into a readable Assembler code. Additional the jumps are marked. So there is the possibility to find all the hardware based commands.

I had a breakthrough I guess.
today I found the Information in the code which character execute what code block. In other words, I found the communication commands.

It seems so that sending an "s" returns the ESN. So maybe I'm able to verify that stuff alone today in the evening.

sending a "?" to the console should return some board information or whatever. It seems so that 46 characters are transmitted then.

I also found out that there are a lot of more commands that I'm not aware at the moment.

I have a very good feeling that the hack I sent to you will succeed to
enable 5.1 again for all people that have lost their 5.1 Licenses.