Password for CDM1550LS

This forum is for discussions regarding all aspects of Motorola radio programming, including hardware, computers, installation and use of RSS/CPS, firmware upgrades, and troubleshooting. There are subforums for discussions of codeplugs, and also for software/firmware release notes and issues.

Moderator: Queue Moderator

W6XR
Posts: 1
Joined: Tue Nov 08, 2005 12:24 pm

Password for CDM1550LS

Post by W6XR »

Recently purchased a CDM1550ls+ and tried to program it for LMR use and am met with a request for a password in order to read or shoot a new program. What can be done about this? I've waited > 15 minutes after attempt. Can mother Motorola fix this?

Thanks
Natan Huffman
User avatar
phrawg
Posts: 690
Joined: Sun Sep 09, 2001 4:00 pm

Post by phrawg »

Is the clock running ? There are posts in model specific info about this
problem. If the internal battery is bad or the crystal is bad the clock
wont run and therefore no more 15 minutes go by. Go read that section
and you may gain some info that will help. Phrawg
BBbzzzzz... ZAP.. GULP !!! ahhhh GOOD fly !
User avatar
alex
Administrator
Posts: 5761
Joined: Mon Sep 03, 2001 4:00 pm

Post by alex »

How to get around this is posted in another thread here... it's not had - it's stored in plain text... I think you can use winhex ram editor to read it.

-Alex
The Radio Information Board: http://www.radioinfoboard.com
Your source for information on: Harris/Ma-Comm/EFJ/RELM/Kenwood/ICOM/Thales, equipment.
User avatar
wavetar
Administrator
Posts: 7340
Joined: Sun Sep 09, 2001 4:00 pm

Post by wavetar »

phrawg wrote:Is the clock running ? There are posts in model specific info about this
problem. If the internal battery is bad or the crystal is bad the clock
wont run and therefore no more 15 minutes go by. Go read that section
and you may gain some info that will help. Phrawg
I believe that only refers to the radio keypad lock issue, not the CPS password issue.

And yes, the password is in plain text in Windows memory when the CPS reads it.

The easiest way to learn is to practice.

Download Winhex...free trial version works fine.

Password protect one of your codeplugs with an easy to find password...a curse word works great. Fire up Winhex. Now try & read your codeplug with CPS...when the password field comes up, switch over to Winhex.

Use the RAM editor function on the memory used by the CPS program. Use the search feature to find your password. It'll pop up in several different places. Get to know where it comes up, and what "other variables" might precede or come after it (a specific text string, for instance).

Try this with several different passwords. Once you're comfortable, try finding the password by searching for your "other variable".

Once you've done that a few times, you'll be able to find any password.

Works for every CPS that I know of...some are easier than others...the "other variable" is different for the various radio CPS and probably different between revisions.
No trees were harmed in the posting of this message...however an extraordinarily large number of electrons were horribly inconvenienced.

Welcome to the /\/\achine.
slavik
Posts: 58
Joined: Thu Aug 25, 2005 9:27 pm

How to modify CPS for "off" check of the password

Post by slavik »

On example CPS R06.03.02 for ProfRadio Waris MDC.

HexWorkshop is required or any hex editor.

Open for editing file ProRadio.exe from folder with install CPS R06.03.02
Go to the offset 00240EEA from the beginning of a file.
There you will see value 741C. Replace on EB1C.
Save a file.

)) for CPS R06.01.00 goto to the offset 00239F2A))

After that if necessary input of the password in CPS you can enter any combination of digits and the program will always allow you to get access to the data of radio.

BR!
orac68
Posts: 4
Joined: Mon Dec 19, 2005 2:19 am

SAVED BY [b]slavik[/b]

Post by orac68 »

slavik I would like to say THANK YOU for your information. :)

It pointed me in just that right direction to find what I needed. 8)

Have a good festive season.

Regards,
Keith
User avatar
The Pager Geek
Posts: 1250
Joined: Fri Jun 21, 2002 10:31 pm
What radios do you own?: Disney FRS

Re: How to modify CPS for "off" check of the passw

Post by The Pager Geek »

slavik wrote:On example CPS R06.03.02 for ProfRadio Waris MDC.

HexWorkshop is required or any hex editor.

Open for editing file ProRadio.exe from folder with install CPS R06.03.02
Go to the offset 00240EEA from the beginning of a file.
There you will see value 741C. Replace on EB1C.
Save a file.

)) for CPS R06.01.00 goto to the offset 00239F2A))

After that if necessary input of the password in CPS you can enter any combination of digits and the program will always allow you to get access to the data of radio.

BR!
For those with Current Pro Series CPS 6.05.03
ProRadio.exe
Address 0024429A: Change 741C to EB1C

When the Password Screen comes up, just press enter. Go into the CPS password config menu and the password is displayed.

tpg
Experienced Provider of Useless Information
User avatar
bram380
2 Warnings for RSS/CPS Wanted/For Sale
Posts: 74
Joined: Sun Jun 09, 2002 10:39 pm

Post by bram380 »

For:
================================
CPS R06.04.00

Address 002412AA: Change 741C to EB1C
================================
================================

and

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
CPS ELP R02.01.02-AZ

Address 001316B1: Change 741C to EB1C

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<


INDONESIA....
[BALI, SANUR Beach, KUTA Beach, TOBA Lake, BOROBUDOR Temple,
ACEH Tsunami, BROMO Mountain.........]

@MAHSU% .... AZ LA MD AA FD
Last edited by bram380 on Sun Dec 25, 2005 10:02 pm, edited 1 time in total.
User avatar
wavetar
Administrator
Posts: 7340
Joined: Sun Sep 09, 2001 4:00 pm

Post by wavetar »

The Winhex method works for all CPS...Astro/25/CP-CM/MTS/MCS/etc...it'll do until we figure out the 'everything valid' mod for all of them.

Todd
No trees were harmed in the posting of this message...however an extraordinarily large number of electrons were horribly inconvenienced.

Welcome to the /\/\achine.
User avatar
The Pager Geek
Posts: 1250
Joined: Fri Jun 21, 2002 10:31 pm
What radios do you own?: Disney FRS

Post by The Pager Geek »

I'll tell you what.. list the software that has a CPS password option...

tpg
Experienced Provider of Useless Information
User avatar
wavetar
Administrator
Posts: 7340
Joined: Sun Sep 09, 2001 4:00 pm

Post by wavetar »

The Pager Geek wrote:I'll tell you what.. list the software that has a CPS password option...

tpg
Pretty much every CPS...even the 1225 could be password protected, I believe. I don't recall the MTR2000 having it, but everything else Windows based does.

Todd
No trees were harmed in the posting of this message...however an extraordinarily large number of electrons were horribly inconvenienced.

Welcome to the /\/\achine.
User avatar
The Pager Geek
Posts: 1250
Joined: Fri Jun 21, 2002 10:31 pm
What radios do you own?: Disney FRS

Post by The Pager Geek »

MCS Doesn't (recanted)
PR1500's Don't
Astro Spectra Doesn't

tpg
Last edited by The Pager Geek on Sat Dec 24, 2005 3:46 pm, edited 1 time in total.
Experienced Provider of Useless Information
User avatar
HLA
Posts: 2334
Joined: Mon Jul 11, 2005 8:15 pm
What radios do you own?: HT1550's, X9000's, CDM1550's

Post by HLA »

my MCS2000 is password protected.
HLA
I never check PM's so don't bother, just email me.
I won't reply to a hotmail, gmail, aol or any other generic free address, if you want me to reply use a real address.
STOP ASKING ME FOR SOFTWARE OR FIRMWARE, I JUST FORWARD ALL OF THE REQUESTS TO THE MODERATORS
User avatar
The Pager Geek
Posts: 1250
Joined: Fri Jun 21, 2002 10:31 pm
What radios do you own?: Disney FRS

Post by The Pager Geek »

What version CPS and Can you send my the codeplug?

Thanks!
thepagergeek@aol.com
Experienced Provider of Useless Information
User avatar
HLA
Posts: 2334
Joined: Mon Jul 11, 2005 8:15 pm
What radios do you own?: HT1550's, X9000's, CDM1550's

Post by HLA »

i'm not shure of the version, it's at work but it's the new one that does mts and mcs.
HLA
I never check PM's so don't bother, just email me.
I won't reply to a hotmail, gmail, aol or any other generic free address, if you want me to reply use a real address.
STOP ASKING ME FOR SOFTWARE OR FIRMWARE, I JUST FORWARD ALL OF THE REQUESTS TO THE MODERATORS
User avatar
wavetar
Administrator
Posts: 7340
Joined: Sun Sep 09, 2001 4:00 pm

Post by wavetar »

The Pager Geek wrote:MCS Doesn't (recanted)
PR1500's Don't
Astro Spectra Doesn't

tpg

Picky, picky :wink:

The PR1500 I just assumed it did since it was the same CPS as the XTS2500/5000.

The Astro Spectra I also assumed. I wonder of the Astro25 Mobile can be? I'll have to check on that when I get back to work.
No trees were harmed in the posting of this message...however an extraordinarily large number of electrons were horribly inconvenienced.

Welcome to the /\/\achine.
User avatar
jim
Posts: 2184
Joined: Sun Sep 09, 2001 4:00 pm

Post by jim »

Astro P25 mobile can.
User avatar
bram380
2 Warnings for RSS/CPS Wanted/For Sale
Posts: 74
Joined: Sun Jun 09, 2002 10:39 pm

Post by bram380 »

I have several codeplug.
I use HexWorkshop v4.23 to edit CPS Password.
How to convert *.cpg to S Record format?
...


INDONESIA....
User avatar
bram380
2 Warnings for RSS/CPS Wanted/For Sale
Posts: 74
Joined: Sun Jun 09, 2002 10:39 pm

Post by bram380 »

for CPS R06.02.05
=====================
Address: 0024029A
Change: 741C
to : EB1C
=====================

INDONESIA....
[BALI, SANUR Beach, KUTA Beach, TOBA Lake, BOROBUDOR Temple,
ACEH Tsunami, BROMO Mountain.........]

@MAHSU% .... AZ,LA,MD,AA,FD,UHF,VHF,200,700,800MHz
User avatar
Johnno
Batboard $upporter
Posts: 86
Joined: Fri Oct 18, 2002 7:09 pm
What radios do you own?: XTL2.5K,XTS2.5k, P25 stuff....

CPS 06.00.00AZ

Post by Johnno »

Does anyone have the hex address that requires modification to solve the password issue for CPS 06.00.00AZ?
User avatar
wavetar
Administrator
Posts: 7340
Joined: Sun Sep 09, 2001 4:00 pm

Post by wavetar »

From the looks of the above, do a search for "741C"...see how many instances pop up.

Todd
No trees were harmed in the posting of this message...however an extraordinarily large number of electrons were horribly inconvenienced.

Welcome to the /\/\achine.
User avatar
Johnno
Batboard $upporter
Posts: 86
Joined: Fri Oct 18, 2002 7:09 pm
What radios do you own?: XTL2.5K,XTS2.5k, P25 stuff....

Post by Johnno »

Hi Todd,
I have done a search for that value, it comes up many times in and around 0024xxxx address. Can anybody advise me of the string around the value I need to change. That would make it easier to locate.

Thanks
Johnno.
xxx2fan
Posts: 84
Joined: Mon Oct 31, 2005 4:42 pm
What radios do you own?: HT750 Ht1250 CDM1250 CDM1550

Passwords

Post by xxx2fan »

Does this work in other CPS say for the MCS2000 also that is password protected.
This was some great info for me Thanks to everyone who posted info.
User avatar
smile@2006
Posts: 54
Joined: Thu Jan 26, 2006 7:51 pm
What radios do you own?: XTS2500 XTL2500 ATS2500

Post by smile@2006 »

Trick to dissable password:
1). Dis-assembler *.exe file to make *.txt file.
2). Locate StringData "INCORRECT PASSWORD" in *.txt
3). Locate 74xx "INCORRECT PASSWORD".
4). Write to paper the address of 74xx.
5). Open *.exe with HexWorkshop.
6). Change command JNE (Jump If Not Equal) to JMP (Jump).
JNE = 75 , JMP = BE
7). Locate 75xx in *.exe, replace with EBxx.
------------------------------------------------------------------------------
:lol: :lol: :lol:
@MAHSU%
:roll: :roll: :roll:
Last edited by smile@2006 on Sat Nov 11, 2006 10:02 pm, edited 3 times in total.
acidflux
Posts: 8
Joined: Sat Aug 28, 2004 3:11 pm
What radios do you own?: XTS5000, HT1550XLS, CDM1550

Post by acidflux »

I used PE Explorer to dis-assemble the proradio.exe and export the strings to a text file. I found the following string but I cannot find this address in Hexworkshop?

00643CAA 741C jz L00643CC8

00643CBC 68A4F97A00 push SSZ007AF9A4_Incorrect_Password

00643CC8 8BCD mov ecx,ebp



I'm using CPS R06.05.00AA
User avatar
smile@2006
Posts: 54
Joined: Thu Jan 26, 2006 7:51 pm
What radios do you own?: XTS2500 XTL2500 ATS2500

Post by smile@2006 »

For CPS R06.05.00:
Address of dissable password is 00452ABC (Hex offset of *.exe).
Change 75xx to FDxx
------------------------------------------

:D :D :D
@MAHSU%
:D :D :D
Last edited by smile@2006 on Sat Nov 11, 2006 10:06 pm, edited 2 times in total.
User avatar
HLA
Posts: 2334
Joined: Mon Jul 11, 2005 8:15 pm
What radios do you own?: HT1550's, X9000's, CDM1550's

Post by HLA »

ok this is kinda the opposite question. how would i go about enabling the cps password on a codeplug that has that box greyed out? i can enable and use the keypad lock. anyone ever tried that?
HLA
I never check PM's so don't bother, just email me.
I won't reply to a hotmail, gmail, aol or any other generic free address, if you want me to reply use a real address.
STOP ASKING ME FOR SOFTWARE OR FIRMWARE, I JUST FORWARD ALL OF THE REQUESTS TO THE MODERATORS
TWEMARS
Posts: 27
Joined: Sun Feb 26, 2006 10:24 pm
What radios do you own?: More than you can ever imagine

RE: Locked CDM1550

Post by TWEMARS »

Try programimng the radio with another, correct, codeplug. I have done this when I have gotten locked out of both 1225 and CDM radios.

I also bought a CDM off of eBay that was locked. I didn't have an archive of the correct radio but I got someone to send an archive for that EXACT MODEL NUMBER, programmed it in and PRESTO! It was unlocked.

I recall that SERIAL NUMBERS are a non-issue with WARIS radios. There is no CLONE feature, just read and program but again:

You must have the EXACT MODEL NUMBER!!!
User avatar
smile@2006
Posts: 54
Joined: Thu Jan 26, 2006 7:51 pm
What radios do you own?: XTS2500 XTL2500 ATS2500

Post by smile@2006 »

New info...
Dissable password CPS R06.06.00
Change to BDxx from 75xx
address: 0036ABCA

:D :D :D
@MAHSU%
:D :D :D
Last edited by smile@2006 on Sat Nov 11, 2006 10:08 pm, edited 2 times in total.
firemanfox
Posts: 28
Joined: Sat Jan 14, 2006 7:53 pm

Post by firemanfox »

I am confused as to what I am doing. I need to access a couple Ht1250ls+ without losing all the data but they are passworded. I have Professional Radio CPS R06.04.00 but I am lost as what I want to import into my hex editor. I have a codeplug from a cdm1250 I have been trying to play with to get experiance but it isn't making a lot of sense when I load the codeplug into the hexeditor I am not finding any of the strings like you guys are talking about. Can someone step me through this?
Fire Department Lieutenant
User avatar
HLA
Posts: 2334
Joined: Mon Jul 11, 2005 8:15 pm
What radios do you own?: HT1550's, X9000's, CDM1550's

Post by HLA »

it's not the codeplug, it's in the .exe file for the program. open that one.
HLA
I never check PM's so don't bother, just email me.
I won't reply to a hotmail, gmail, aol or any other generic free address, if you want me to reply use a real address.
STOP ASKING ME FOR SOFTWARE OR FIRMWARE, I JUST FORWARD ALL OF THE REQUESTS TO THE MODERATORS
firemanfox
Posts: 28
Joined: Sat Jan 14, 2006 7:53 pm

Post by firemanfox »

sorry to sound ignorant about this but where is the .exe file? does it get transfered when you read the code plug? Thanks
Fire Department Lieutenant
firemanfox
Posts: 28
Joined: Sat Jan 14, 2006 7:53 pm

Post by firemanfox »

Well after more playing I figured it out, thanks for the help!
Fire Department Lieutenant
pacrat551
Posts: 30
Joined: Tue Oct 16, 2001 4:00 pm

Help

Post by pacrat551 »

Ok, I'm completely new and ignorant to using winhex. I have found the proradio.exe file but I can't figure out the offset. I'm using Professional radio CPS R06.04.00. I see the offsets, but they start with 00400000. How do I go about editing this to bypass a password problem.

I've also tried the other method of finding the password, but I can't come up with a common variable to track it.

Any help is appreciated
Aaron Slaughter
Communications Coordinator
City of Lockhart
Lockhart, Texas
aslaughter@lockhart-tx.org
motopapa
Posts: 14
Joined: Sat Sep 23, 2006 7:32 pm

help

Post by motopapa »

I've dis-assembled the cps.exe for a cm200 - a search for "password" yields no clues. Anyone know which hex address controls the password option for a cm200?

TIA
User avatar
wavetar
Administrator
Posts: 7340
Joined: Sun Sep 09, 2001 4:00 pm

Post by wavetar »

No, but the CM200 is one of the easiest to use the Winhex method on...just type in any word for a password to get the error window to come up, then do a search for that word in the Winhex RAM editor...the real password shows up a few lines below the incorrect password.
No trees were harmed in the posting of this message...however an extraordinarily large number of electrons were horribly inconvenienced.

Welcome to the /\/\achine.
motopapa
Posts: 14
Joined: Sat Sep 23, 2006 7:32 pm

Post by motopapa »

Are you searching in the CPS.exe file for those words or a different file? Thanks again.
motopapa
Posts: 14
Joined: Sat Sep 23, 2006 7:32 pm

Post by motopapa »

we put in a guess for a password, used winhex, opened the exe file, and then opened the ram file and searched the physical memory for our guess. Our guess and several subsequent guesses all show up, but there is no other evidence of any password below.

Are we looking in the correct spot (physical memory - of the ram file - alt-f9 option in winhex)?

Thanks
bellersley
No Longer Registered
Posts: 872
Joined: Tue Feb 22, 2005 7:03 am

Post by bellersley »

It's probably a long shot, but I wonder if this type of thing would work on a Kenwood. I have one I'd sure like to use!
tvsjr
Posts: 4118
Joined: Fri Nov 28, 2003 9:46 am

Post by tvsjr »

bellersley wrote:It's probably a long shot, but I wonder if this type of thing would work on a Kenwood. I have one I'd sure like to use!
Yep.
User avatar
RESCUE161
Batboard $upporter
Posts: 2062
Joined: Wed Jan 16, 2002 4:00 pm
What radios do you own?: Too many!

Post by RESCUE161 »

Has anyone made the Astro 25 CPS work for "anything valid"?

I am finding the "wrong" passwords (my intentional wrong entries), but I can't seem to find the actual password.

Are the passwords on the Astro 25 CPS encrypted?
Scott
KE4FHH
Religion: Kills folks dead!
User avatar
wavetar
Administrator
Posts: 7340
Joined: Sun Sep 09, 2001 4:00 pm

Post by wavetar »

RESCUE161 wrote:Has anyone made the Astro 25 CPS work for "anything valid"?

I am finding the "wrong" passwords (my intentional wrong entries), but I can't seem to find the actual password.

Are the passwords on the Astro 25 CPS encrypted?
I haven't delved into the 'anything valid' side of things, just strictly using Winhex to see the password. From my notes for Astro25 CPS:

All readings taken with Winhex 11.8

XTS5000: CPS version 4.01.01

Open CPS, read codeplug, when prompted for password, go to the Winhex screen. Go to ‘tools’-> ‘open RAM’. A window will pop up listing all current applications running. Choose ‘patport’ (should be the last one in the list, since it’s the last program you opened), then ‘primary memory’.

Search (CTRL+F) for text string: microsoft\windows\ includes the slashes.

There will many instances of the text string, press F3 to continue searching. At the 4th occurrence, the password should almost immediately precede the text string.


Now, the above was figured out through testing with a "known" password, and figuring out what text was nearby it when searching, then using that text as the search parameter on a codeplug with an "unknown" password. Works great, except the text can change with each CPS version, so you have to re-figure it out again every release.

Todd
No trees were harmed in the posting of this message...however an extraordinarily large number of electrons were horribly inconvenienced.

Welcome to the /\/\achine.
User avatar
RESCUE161
Batboard $upporter
Posts: 2062
Joined: Wed Jan 16, 2002 4:00 pm
What radios do you own?: Too many!

Post by RESCUE161 »

Thank you! Works great!!!

[edit]

Works great, but make sure you test it out first. I tried different size passwords and ones that were fairly long, it would cut off the first part of "Microsoft", so I just used the next word over - "Windows\CurrentVersion".

Awesome work guys!
Scott
KE4FHH
Religion: Kills folks dead!
User avatar
Flatbush97
Posts: 87
Joined: Tue Sep 04, 2001 4:00 pm

Post by Flatbush97 »

Has anyone modified version 6.06.07 yet? Does anyone know the address to look for?

Thanks
User avatar
smile@2006
Posts: 54
Joined: Thu Jan 26, 2006 7:51 pm
What radios do you own?: XTS2500 XTL2500 ATS2500

Disable Password CDM

Post by smile@2006 »

Hi,
Disassembler cps,
change optinon JNZ to JE to disable password.
or,
Delete Dialog Password from cps structure.

Successfully to carck:
CPS R06.07.04-AZ (GP328/GP338)
CPS ELP R02.01.02-AZ (GP308)
CPS ELM R05.05-AZ (GM3188/GM3688/GP3188/GP3688).

smile@2006
AZ-AA-LA-MD-FD
HUMAS@%&
INDONESIA
Last edited by smile@2006 on Thu Jan 04, 2007 6:53 pm, edited 2 times in total.
Dave518
Posts: 43
Joined: Fri Sep 22, 2006 8:56 am

Post by Dave518 »

FYI... you can get around the unknown password issue by simply cloning the radio with the codeplug of a radio that has the exact same model number. Of course, you lose the programming information in the original radio, but at least you can program it without having to hack the codeplug.
User avatar
kbmp0992
Batboard $upporter
Posts: 23
Joined: Sat Aug 23, 2003 4:21 pm

Post by kbmp0992 »

I want to thank the board for this thread... I finally got around to working on my CDM1550LS+, and hit the password roadblock as soon as I tried to read the radio. After my panic subsided, I looked at Batlabs, and there was the solution, right in front of me. I downloaded Hex Workshop, and edited hex code for the first time in many years. I apparently followed instructions well, because I was able to get around the password and read the radio.

Thank you!
n2rld
Posts: 27
Joined: Thu Aug 24, 2006 6:03 pm
What radios do you own?: Ht1250,MTX9250,XPR6550,MCS2000

dissable password

Post by n2rld »

In CPS R06.07.04
The offset is
00244CF0
just change the
741C
To
EB1C
and your all set

Karl N2RLD
cab
Posts: 8
Joined: Tue Feb 22, 2005 1:02 am

Re: Password for CDM1550LS

Post by cab »

anyone whos is successful in applying the method in kenwood???? I can't do it in kenwood...
bchbumn
New User
Posts: 1
Joined: Sat Oct 20, 2007 11:49 am

Re: Password for CDM1550LS

Post by bchbumn »

For R06.08.05 I found it at offset: 02380650
change 741C to EB1C

that should take care of the problem!
Post Reply

Return to “Radio Programming”