Batboard

Ok, So I have two mobiles that are password protected. How can I get into these units.

Can I reload a blank codeplug?

If I have to send these to moto, how much and what needs to be done?

Are there workarounds?

No you cant reload another codeplug. as you are asked for the existing one first. There is a work around but I don't know what it is.

The one known work around is detailed in this thread below. Unfortunately, it requires you to have a saved codeplug of the radio...nothing yet on bypassing the radio password directly.

http://batboard.batlabs.com/viewtopic.p ... mantisware

You could ask the owner of the radio what the password is. That would be a good start.

nmfire10 wrote:You could ask the owner of the radio what the password is. That would be a good start.

Thats an excllent answer... Thanks for all your usefull help.



The OWNER of the radios went out of business and these were bought at auction. Therefore obtaining the passwords is going to be kinda difficult.

Hmmm, do you know if the radios came from your local area? If so, the odds are you could locate the dealer that programmed them (unlikely the customer did his own programming, right?) and have them blank the password, or change it to one you request. Otherwise for now it would be tough...even I as an MMS tech would have to send them to the depot, with a note begging & pleading to have the codeplug reset & hope they would do it for me.

Todd,

I know exactly where the radios came from, and the radio shop that did the install. The radios were purchased with a bunh of site equipment like tone remotes, power supplies, jps units, etc. from an auction house. The owners of the equipment went out of business.

Upon calling the radio shop they were no help. They said it would cost upwards of 300 per unit, and that it was a major production and very secret operation, Which I know obviously to be bull.
I also read a post that someone else must have bought similar equipment from the same auction, same radio shop and they had the same results.

With this being said, I could care less what is in the radios, I just want to start with a fresh slate. So I guess a trip to the depot for a repair would suffice.

Thanks, Rob

Well, I found 2 minutes to do some testing today, and guess what?

The Winhex RAM editor method of finding passwords works for TRBO CPS, just like it does for most others as detailed in the thread below:

http://batboard.batlabs.com/viewtopic.p ... lit=winhex

Follow the instructions posted in the thread. If you do a search within Winhex for the string RC_CPPASSWORD, the password will preceed it in several instances...the 6th, 14th, 16th & 18th in my case when I tried it. Good luck.

wavetar wrote:Well, I found 2 minutes to do some testing today, and guess what?

The Winhex RAM editor method of finding passwords works for TRBO CPS, just like it does for most others as detailed in the thread below:

viewtopic.php?f=15&t=51318&hilit=winhex

Follow the instructions posted in the thread. If you do a search within Winhex for the string RC_CPPASSWORD, the password will preceed it in several instances...the 6th, 14th, 16th & 18th in my case when I tried it. Good luck.

your link is broken.....

Try this "CLICK HERE"

Napalm wrote:

wavetar wrote:Well, I found 2 minutes to do some testing today, and guess what?

The Winhex RAM editor method of finding passwords works for TRBO CPS, just like it does for most others as detailed in the thread below:

viewtopic.php?f=15&t=51318&hilit=winhex

Follow the instructions posted in the thread. If you do a search within Winhex for the string RC_CPPASSWORD, the password will preceed it in several instances...the 6th, 14th, 16th & 18th in my case when I tried it. Good luck.

your link is broken.....

To save a little time reading through that stuff, I don't have a saved codeplug. Can the minhex thing be done without having a codeplug saved? Thanks, Rob

Maybe you can just send us your codeplug and we can do it for you?

You will have to read the radio - once prompted for the password you can recover the password with Todd's method outline in the thread he pointed you to.

FMROB wrote:To save a little time reading through that stuff, I don't have a saved codeplug. Can the minhex thing be done without having a codeplug saved? Thanks, Rob

ve3nsv,

That is what I was getting at. I don't have a saved codeplug of the radios, so if I understand this correctly I can modify the software to block the password protection?

Thanks, rob

FMROB wrote:ve3nsv,

That is what I was getting at. I don't have a saved codeplug of the radios, so if I understand this correctly I can modify the software to block the password protection?

Thanks, rob

The Winhex method can be used when reading a radio directly or when reading a codeplug, makes no difference.

Napalm wrote:

wavetar wrote:Well, I found 2 minutes to do some testing today, and guess what?

The Winhex RAM editor method of finding passwords works for TRBO CPS, just like it does for most others as detailed in the thread below:

http://batboard.batlabs.com/viewtopic.p ... lit=winhex

Follow the instructions posted in the thread. If you do a search within Winhex for the string RC_CPPASSWORD, the password will preceed it in several instances...the 6th, 14th, 16th & 18th in my case when I tried it. Good luck.

your link is broken.....

Fixed, thanks!

Ok so now I kinda understand. My issue becomes that I don't have a another non passworded radio to practice with finding different associated "text strings"

So can anyone shed light on any associated locations or text strings for the TRBO software.

Thanks, Rob

Sorry for being a pain with this, Here is what I did (it hasn't worked yet) maybe someone can tell me where I am going wrong.

1) Downloaded winhex
2) have trbo cps
3) created codeplug with password that I know
4) opened cps
5) opened codeplug to get enter password screen
6) opened winhex
7) in winhex went to "tools"
went to open ram
9) opened the file in winhex "edit main memory" named mototrbocps #1168
10) when this file was opened I then opened primary memory
11) clicked on search text string and entered the password.
12) program retunred no search hits?

Where am I going wrong, Rob

FMROB wrote:Sorry for being a pain with this, Here is what I did (it hasn't worked yet) maybe someone can tell me where I am going wrong.

1) Downloaded winhex
2) have trbo cps
3) created codeplug with password that I know
4) opened cps
5) opened codeplug to get enter password screen
6) opened winhex
7) in winhex went to "tools"
went to open ram
9) opened the file in winhex "edit main memory" named mototrbocps #1168
10) when this file was opened I then opened primary memory
11) clicked on search text string and entered the password.
12) program retunred no search hits?

Where am I going wrong, Rob

Those are the exact steps I followed...I just did it again to confirm each step...it works for me with both codeplugs & direct radio reading. I have no idea why it won't work for you. I'm using CPS 3.6, and Winhex 15.1. Did you try searching for the RC_CPPASSWORD text?

Worked here also Todd, tried it on my lunch just for the sake of doing it.

Now I feel really bad, I have noe idea why this is not working.

I was able to find tow instances of the rc_cppassword text. I looked above and below and no sign of the password!!!!!

Let me go thorugh this one more time, maybe there is something I am missing

1) Downloaded winhex, and installed it version 15.1 sr-4
2) have trbo cps version 3.6 build 97
3) created codeplug with password that I know and saved it to codeplug file. password is "suck"
4) opened cps
5) opened codeplug to get enter password small command box.
6) opened winhex while cps is open.
7) in winhex went to "tools"
went to open ram alt+f9
9) opened the file in winhex "edit main memory" named mototrbocps #1168
10) when this file was opened I then clicked on to primary memory, which opened up a large file
11) clicked on search text string and entered the password of "suck"
12) program retunred no search hits?

when entered rc_cppassword it returned two instances.

What am I doing wrong here.

P.S. every once in a while when searching the search would stop and say that the virtual memory changed and I would have to re read the file.

am I supposed to be searching in ascii or unicode.

Do we have a definitve location in the codeplug, it seems to change evertime I read it.

I know have luck searching suck in unicode in my know codeplug, but nothing matches up to the unkown radio as far as memory locations?????

-Rob

FMROB wrote:am I supposed to be searching in ascii or unicode.

Do we have a definitve location in the codeplug, it seems to change evertime I read it.

I know have luck searching suck in unicode in my know codeplug, but nothing matches up to the unkown radio as far as memory locations?????

-Rob

So I take it you're now able to find your 'known' password in the test codeplug? This is good, since it tells me you're using the program correctly. Now simply do a search for the RC_CPPASSWORD text, the password will preceed it in several instances...the 6th, 14th, 16th & 18th in my case when I tried it. Try it in your test codeplug first, to get used to where the password precedes it...most times there's nothing close to the RC text, so it's fairly obvious once you actually see a real word or number pattern precede it.

It doesn't matter on my computer whether I search in unicode or ASCII, except it's much easier to read the results in ASCII...unicode sticks a decimal point between every character.

The memory locations are going to vary every time...Windows RAM is dynamic, nature of the beast.

FMROB wrote: P.S. every once in a while when searching the search would stop and say that the virtual memory changed and I would have to re read the file.

TRBO CPS keeps track of time, so every minute you'll get that message & have to start your search over again from the top. This also happens in some other CPS packages.

OH!, I just thought of something else...are you perhaps using Vista? I'm using WinXP SP2.

This gets stranger by the moment.

When I search my known test saved codeplug I can find only one instance of "suck" and the program only finds it in unicode, and not in ascii.

When i load the radio, and search rc_cppassword there is nothing evern close to resembling any sort of password. As a matter of fact I am only finding once instance of my known password.

I am begining to think that this is nearly impossible to find a unkown password on a radio????

FMROB wrote:This gets stranger by the moment.

When I search my known test saved codeplug I can find only one instance of "suck" and the program only finds it in unicode, and not in ascii.

When i load the radio, and search rc_cppassword there is nothing evern close to resembling any sort of password. As a matter of fact I am only finding once instance of my known password.

I am begining to think that this is nearly impossible to find a unkown password on a radio????

Honestly, I have no idea what's going on with your set-up, as it 'sounds' like you're doing everything properly. Are you using XP?

Send me a password protected codeplug (something other than 'suck') and let me see if I can crack it.

wavetar@eastlink.ca

I Have tried this and it works only for me if you have a saved codeplug, if you are reading an alien radio that has been written with a passworded codeplug then it does not work. So just to clarify, you make a codeplug for your radio, password it and save the codeplug to both your radio and your pc, now try reading the radio you are prompted for codeplug password, use the winhex method described and it will work a treat and you will probably get all excited. Now do the same with your alien radios that you have not saved the codeplug but is written with a passworded codeplug from elsewhere and it will fail. Well it did for me anyways.

wavetar wrote:

FMROB wrote:ve3nsv,

That is what I was getting at. I don't have a saved codeplug of the radios, so if I understand this correctly I can modify the software to block the password protection?

Thanks, rob

The Winhex method can be used when reading a radio directly or when reading a codeplug, makes no difference.

FMROB & I exchanged some codeplugs & did some testing. It seems to be a CPS version issue...my codeplugs & radios which were written with an earlier version worked with this method. Once the radios were programmed with 3.6, or a codeplug saved with 3.6, it no longer worked. Another loophole closed. Oh well, I was suprised it worked in the first place.

It works on my own radios with latest software.
Melv

wavetar wrote:FMROB & I exchanged some codeplugs & did some testing. It seems to be a CPS version issue...my codeplugs & radios which were written with an earlier version worked with this method. Once the radios were programmed with 3.6, or a codeplug saved with 3.6, it no longer worked. Another loophole closed. Oh well, I was suprised it worked in the first place.

Hi guys - procedure also works with the UK version DP3600 using latest CPS.

However, what I noticed is that when downloading during an online read of the radio, the in-memory version of the codeplug is different from opening up a saved, password protected codeplug.

However either way, you can locate the cleartext password of the radio's codeplug as described. The former you need to use "unicode" the latter, "ascii" search.

melv7956 wrote:It works on my own radios with latest software.
Melv

wavetar wrote:FMROB & I exchanged some codeplugs & did some testing. It seems to be a CPS version issue...my codeplugs & radios which were written with an earlier version worked with this method. Once the radios were programmed with 3.6, or a codeplug saved with 3.6, it no longer worked. Another loophole closed. Oh well, I was suprised it worked in the first place.

Please share with us. We went over this backwards and forwards with no luck. It appears that the memopry location changes upon every read.

When I say it worked with the latest version of CPS I meant that it worked with a saved passworded codeplug and not with a radio that I did not have the saved codeplug on my pc. However I did not try the Unicode option that has been suggested since my post. So that is another option to try. BTW These are UK DP3400 radios not sure what the model is called in the US. But I would imagine this is the same whatever they are called?
Melv

FMROB wrote:

melv7956 wrote:It works on my own radios with latest software.
Melv

wavetar wrote:FMROB & I exchanged some codeplugs & did some testing. It seems to be a CPS version issue...my codeplugs & radios which were written with an earlier version worked with this method. Once the radios were programmed with 3.6, or a codeplug saved with 3.6, it no longer worked. Another loophole closed. Oh well, I was suprised it worked in the first place.

Please share with us. We went over this backwards and forwards with no luck. It appears that the memopry location changes upon every read.

if reading from a passworded codeplug via a connected radio, search for "RC_CPPASSWORD/VALID" using WinHex - irrespective of where this string is in the file, the password will be a few lines before this string in cleartext. You need to use some textual discernment to find what *looks* like a password...

wavetar wrote:FMROB & I exchanged some codeplugs & did some testing. It seems to be a CPS version issue...my codeplugs & radios which were written with an earlier version worked with this method. Once the radios were programmed with 3.6, or a codeplug saved with 3.6, it no longer worked. Another loophole closed. Oh well, I was suprised it worked in the first place.

I'm trying to find out if this tecnique would work on the Kenwood Radio's?? has anyone tried to use it on anything other than /\/\otorolla Radio's?? also what file or extension are you using it on (winhex) to see if it shows the active Password within the CPS????

thanks in advance

Flash