Batboard

Recently purchased a CDM1550ls+ and tried to program it for LMR use and am met with a request for a password in order to read or shoot a new program. What can be done about this? I've waited > 15 minutes after attempt. Can mother Motorola fix this?

Thanks

Is the clock running ? There are posts in model specific info about this
problem. If the internal battery is bad or the crystal is bad the clock
wont run and therefore no more 15 minutes go by. Go read that section
and you may gain some info that will help. Phrawg

How to get around this is posted in another thread here... it's not had - it's stored in plain text... I think you can use winhex ram editor to read it.

-Alex

phrawg wrote:Is the clock running ? There are posts in model specific info about this
problem. If the internal battery is bad or the crystal is bad the clock
wont run and therefore no more 15 minutes go by. Go read that section
and you may gain some info that will help. Phrawg

I believe that only refers to the radio keypad lock issue, not the CPS password issue.

And yes, the password is in plain text in Windows memory when the CPS reads it.

The easiest way to learn is to practice.

Download Winhex...free trial version works fine.

Password protect one of your codeplugs with an easy to find password...a curse word works great. Fire up Winhex. Now try & read your codeplug with CPS...when the password field comes up, switch over to Winhex.

Use the RAM editor function on the memory used by the CPS program. Use the search feature to find your password. It'll pop up in several different places. Get to know where it comes up, and what "other variables" might precede or come after it (a specific text string, for instance).

Try this with several different passwords. Once you're comfortable, try finding the password by searching for your "other variable".

Once you've done that a few times, you'll be able to find any password.

Works for every CPS that I know of...some are easier than others...the "other variable" is different for the various radio CPS and probably different between revisions.

On example CPS R06.03.02 for ProfRadio Waris MDC.

HexWorkshop is required or any hex editor.

Open for editing file ProRadio.exe from folder with install CPS R06.03.02
Go to the offset 00240EEA from the beginning of a file.
There you will see value 741C. Replace on EB1C.
Save a file.

)) for CPS R06.01.00 goto to the offset 00239F2A))

After that if necessary input of the password in CPS you can enter any combination of digits and the program will always allow you to get access to the data of radio.

BR!

slavik I would like to say THANK YOU for your information.

It pointed me in just that right direction to find what I needed.

Have a good festive season.

Regards,
Keith

slavik wrote:On example CPS R06.03.02 for ProfRadio Waris MDC.

HexWorkshop is required or any hex editor.

Open for editing file ProRadio.exe from folder with install CPS R06.03.02
Go to the offset 00240EEA from the beginning of a file.
There you will see value 741C. Replace on EB1C.
Save a file.

)) for CPS R06.01.00 goto to the offset 00239F2A))

After that if necessary input of the password in CPS you can enter any combination of digits and the program will always allow you to get access to the data of radio.

BR!

For those with Current Pro Series CPS 6.05.03
ProRadio.exe
Address 0024429A: Change 741C to EB1C

When the Password Screen comes up, just press enter. Go into the CPS password config menu and the password is displayed.

tpg

For:
================================
CPS R06.04.00

Address 002412AA: Change 741C to EB1C
================================
================================

and

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
CPS ELP R02.01.02-AZ

Address 001316B1: Change 741C to EB1C

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<


INDONESIA....
[BALI, SANUR Beach, KUTA Beach, TOBA Lake, BOROBUDOR Temple,
ACEH Tsunami, BROMO Mountain.........]

@MAHSU% .... AZ LA MD AA FD

The Winhex method works for all CPS...Astro/25/CP-CM/MTS/MCS/etc...it'll do until we figure out the 'everything valid' mod for all of them.

Todd

I'll tell you what.. list the software that has a CPS password option...

tpg

The Pager Geek wrote:I'll tell you what.. list the software that has a CPS password option...

tpg

Pretty much every CPS...even the 1225 could be password protected, I believe. I don't recall the MTR2000 having it, but everything else Windows based does.

Todd

MCS Doesn't (recanted)
PR1500's Don't
Astro Spectra Doesn't

tpg

my MCS2000 is password protected.

What version CPS and Can you send my the codeplug?

Thanks!
thepagergeek@aol.com

i'm not shure of the version, it's at work but it's the new one that does mts and mcs.

The Pager Geek wrote:MCS Doesn't (recanted)
PR1500's Don't
Astro Spectra Doesn't

tpg

Picky, picky

The PR1500 I just assumed it did since it was the same CPS as the XTS2500/5000.

The Astro Spectra I also assumed. I wonder of the Astro25 Mobile can be? I'll have to check on that when I get back to work.

Astro P25 mobile can.

I have several codeplug.
I use HexWorkshop v4.23 to edit CPS Password.
How to convert *.cpg to S Record format?
...


INDONESIA....

for CPS R06.02.05
=====================
Address: 0024029A
Change: 741C
to : EB1C
=====================

INDONESIA....
[BALI, SANUR Beach, KUTA Beach, TOBA Lake, BOROBUDOR Temple,
ACEH Tsunami, BROMO Mountain.........]

@MAHSU% .... AZ,LA,MD,AA,FD,UHF,VHF,200,700,800MHz

Does anyone have the hex address that requires modification to solve the password issue for CPS 06.00.00AZ?

From the looks of the above, do a search for "741C"...see how many instances pop up.

Todd

Hi Todd,
I have done a search for that value, it comes up many times in and around 0024xxxx address. Can anybody advise me of the string around the value I need to change. That would make it easier to locate.

Thanks
Johnno.

Does this work in other CPS say for the MCS2000 also that is password protected.
This was some great info for me Thanks to everyone who posted info.

Trick to dissable password:
1). Dis-assembler *.exe file to make *.txt file.
2). Locate StringData "INCORRECT PASSWORD" in *.txt
3). Locate 74xx "INCORRECT PASSWORD".
4). Write to paper the address of 74xx.
5). Open *.exe with HexWorkshop.
6). Change command JNE (Jump If Not Equal) to JMP (Jump).
JNE = 75 , JMP = BE
7). Locate 75xx in *.exe, replace with EBxx.
------------------------------------------------------------------------------

@MAHSU%

I used PE Explorer to dis-assemble the proradio.exe and export the strings to a text file. I found the following string but I cannot find this address in Hexworkshop?

00643CAA 741C jz L00643CC8

00643CBC 68A4F97A00 push SSZ007AF9A4_Incorrect_Password

00643CC8 8BCD mov ecx,ebp



I'm using CPS R06.05.00AA

For CPS R06.05.00:
Address of dissable password is 00452ABC (Hex offset of *.exe).
Change 75xx to FDxx
------------------------------------------


@MAHSU%

ok this is kinda the opposite question. how would i go about enabling the cps password on a codeplug that has that box greyed out? i can enable and use the keypad lock. anyone ever tried that?

Try programimng the radio with another, correct, codeplug. I have done this when I have gotten locked out of both 1225 and CDM radios.

I also bought a CDM off of eBay that was locked. I didn't have an archive of the correct radio but I got someone to send an archive for that EXACT MODEL NUMBER, programmed it in and PRESTO! It was unlocked.

I recall that SERIAL NUMBERS are a non-issue with WARIS radios. There is no CLONE feature, just read and program but again:

You must have the EXACT MODEL NUMBER!!!

New info...
Dissable password CPS R06.06.00
Change to BDxx from 75xx
address: 0036ABCA


@MAHSU%

I am confused as to what I am doing. I need to access a couple Ht1250ls+ without losing all the data but they are passworded. I have Professional Radio CPS R06.04.00 but I am lost as what I want to import into my hex editor. I have a codeplug from a cdm1250 I have been trying to play with to get experiance but it isn't making a lot of sense when I load the codeplug into the hexeditor I am not finding any of the strings like you guys are talking about. Can someone step me through this?

it's not the codeplug, it's in the .exe file for the program. open that one.

sorry to sound ignorant about this but where is the .exe file? does it get transfered when you read the code plug? Thanks

Well after more playing I figured it out, thanks for the help!

Ok, I'm completely new and ignorant to using winhex. I have found the proradio.exe file but I can't figure out the offset. I'm using Professional radio CPS R06.04.00. I see the offsets, but they start with 00400000. How do I go about editing this to bypass a password problem.

I've also tried the other method of finding the password, but I can't come up with a common variable to track it.

Any help is appreciated

I've dis-assembled the cps.exe for a cm200 - a search for "password" yields no clues. Anyone know which hex address controls the password option for a cm200?

TIA

No, but the CM200 is one of the easiest to use the Winhex method on...just type in any word for a password to get the error window to come up, then do a search for that word in the Winhex RAM editor...the real password shows up a few lines below the incorrect password.

Are you searching in the CPS.exe file for those words or a different file? Thanks again.

we put in a guess for a password, used winhex, opened the exe file, and then opened the ram file and searched the physical memory for our guess. Our guess and several subsequent guesses all show up, but there is no other evidence of any password below.

Are we looking in the correct spot (physical memory - of the ram file - alt-f9 option in winhex)?

Thanks

It's probably a long shot, but I wonder if this type of thing would work on a Kenwood. I have one I'd sure like to use!

bellersley wrote:It's probably a long shot, but I wonder if this type of thing would work on a Kenwood. I have one I'd sure like to use!

Yep.

Has anyone made the Astro 25 CPS work for "anything valid"?

I am finding the "wrong" passwords (my intentional wrong entries), but I can't seem to find the actual password.

Are the passwords on the Astro 25 CPS encrypted?

RESCUE161 wrote:Has anyone made the Astro 25 CPS work for "anything valid"?

I am finding the "wrong" passwords (my intentional wrong entries), but I can't seem to find the actual password.

Are the passwords on the Astro 25 CPS encrypted?

I haven't delved into the 'anything valid' side of things, just strictly using Winhex to see the password. From my notes for Astro25 CPS:

All readings taken with Winhex 11.8

XTS5000: CPS version 4.01.01

Open CPS, read codeplug, when prompted for password, go to the Winhex screen. Go to ‘tools’-> ‘open RAM’. A window will pop up listing all current applications running. Choose ‘patport’ (should be the last one in the list, since it’s the last program you opened), then ‘primary memory’.

Search (CTRL+F) for text string: microsoft\windows\ includes the slashes.

There will many instances of the text string, press F3 to continue searching. At the 4th occurrence, the password should almost immediately precede the text string.

Now, the above was figured out through testing with a "known" password, and figuring out what text was nearby it when searching, then using that text as the search parameter on a codeplug with an "unknown" password. Works great, except the text can change with each CPS version, so you have to re-figure it out again every release.

Todd

Thank you! Works great!!!

[edit]

Works great, but make sure you test it out first. I tried different size passwords and ones that were fairly long, it would cut off the first part of "Microsoft", so I just used the next word over - "Windows\CurrentVersion".

Awesome work guys!

Has anyone modified version 6.06.07 yet? Does anyone know the address to look for?

Thanks

Hi,
Disassembler cps,
change optinon JNZ to JE to disable password.
or,
Delete Dialog Password from cps structure.

Successfully to carck:
CPS R06.07.04-AZ (GP328/GP338)
CPS ELP R02.01.02-AZ (GP308)
CPS ELM R05.05-AZ (GM3188/GM3688/GP3188/GP3688).

smile@2006
AZ-AA-LA-MD-FD
HUMAS@%&
INDONESIA

FYI... you can get around the unknown password issue by simply cloning the radio with the codeplug of a radio that has the exact same model number. Of course, you lose the programming information in the original radio, but at least you can program it without having to hack the codeplug.

I want to thank the board for this thread... I finally got around to working on my CDM1550LS+, and hit the password roadblock as soon as I tried to read the radio. After my panic subsided, I looked at Batlabs, and there was the solution, right in front of me. I downloaded Hex Workshop, and edited hex code for the first time in many years. I apparently followed instructions well, because I was able to get around the password and read the radio.

Thank you!

In CPS R06.07.04
The offset is
00244CF0
just change the
741C
To
EB1C
and your all set

Karl N2RLD

anyone whos is successful in applying the method in kenwood???? I can't do it in kenwood...

For R06.08.05 I found it at offset: 02380650
change 741C to EB1C

that should take care of the problem!