原创 真正的逆向工程（reverse engineering）-破解motorola 寻

真正的逆向工程（reverse
 engineering）-破解motorola advisor 寻呼机密码

一直有个愿望，当年公司为了那些寻呼机改频入网，不得不破解寻呼机的密码。记得一共买了2，3台解密器。好像2000多一台。那时也不太明白单片机，只记得很神奇。当时就想，啥时我能破这个。。。。。。

时光斗转，记得07年，无意之中又想起了这件事。当时没有逻辑分析仪。手头只有个fpga的开发板，于是又尝试用altera的fpga的ram去记录数据。可惜失败了。那点ram太少了。当时的记录在此http://www.ourdev.cn/bbs/bbs_content.jsp?bbs_sn=745630&bbs_page_no=1&search_mode=3&search_text=sdmmqy&bbs_id=9999

这件事不得不搁下了。又过了3年。。。。。。机会终于来了。先是买了网友的魏坤的第二版示波器，随后又买了网友的saleae的la。又刚刚用mega48做了个NRf24Z1的项目。感觉都准备好了，那就开始吧。

手上有motorola的寻呼机图纸和service manual。又搜到1片外文。那就先贴上，省的解释了。

这个u2含有256 byte的eeprom，他和mcu通过spi通信。可惜u2不仅仅是eeprom，它还有晶振和按键检测和初步解码功能。我觉得更像单片机。摩托罗拉寻呼机在写码编程时可以设置密码， 如果机内有密码，寻呼机再次读写码时，寻呼机会要求输入密码，如不输入或输入密码错误，电脑显示屏会发出警告“密码错误，你还有7次机会”，
如果连续7次将密码输错，BP机将锁死， 寻呼机功能将完全丧失，这时只能更换码片。

motorola u 9 How to decode Motorola pager passwords

Posted by Jack Ryan - 2009/04/06 07:40

_____________________________________

Here's a stab at trying to explain how to decode
encrypted Motorola Pager Passwords. This has been verified to work with pretty
much all motorola pagers on the market, including 1.5 and 2-way pagers. First..
plaintext pager passwords can only contain A-Z, 0-9 and (space)for characters.
The plaintext passwords are always encoded as 10 characters even if there are
less than 10 characters in the plaintext password. Basically there is some sort
of lookup table

contained in the PPS (pager programming software)
which either encodes or decodes the password. The lookup table is included
further down in this posting. Conveniently, when a pager's programming is read
using the PPS, all the passwords come out (assuming you know the pager's
download password if it has one) in the encoded form. You can either sniff the
passwords out of the programming read as it's happening or you can save the
freshly read pager configuration to a file and then import it into a hex editor
as a Motorola S19 file. A favorite program of mine for hex editing, which will
import Motorola S19 files, is called Hex Workshop . Finding the passwords is
easy. If you are using Hex Workshop, you simply import the saved file
(codeplug) and search for a string of letters and numbers. You will see

them looking something like this NEJF1K54H5 or
something like OJ Y2VPSQV (note the space in the second

example). The two encoded passwords listed above
decode to ADVELITERF and N500OTAPAS . Passwords are located in different places
for different pager models but in the Advisor Golds and Elites the OTA and
Download passwords are stored near the top of the file with the Secure password
stored towards the lower middle of the file.Beware of the first three
characters in the string because they are not related. The best thing to do is
find the end of

the first string of A-Z and 0-9 characters and
count backwards by 20. Grab the next 10 characters forward and decode them..
this is the OTA password. grab the next 10 characters and decode them.. this is
the Download password.

Further down standing out like a sore thumb is the
Secure password. Decode it and you'll have it. It'd be nice if you post what
you find. Passwords have their place but many people are legitimately trying to
gain access to pagers which they own and don't have the passwords. By the way,
even if there is no download password set, the last known download password is
still encoded. It's a matter of a bit set in the pager to tell it to use the
password or not. I'm sure

there's a lot that I'm not explaining properly, and
I'm kind of in a hurry so feel free to email me with questions at jackryan...@yahoo.com
. I can also decode passwords for you if you have the stored codeplug file and
can send it to me. Now for the decoding table.. How to use it is this.. there
will be 11 columns. the first column is the decoded letter or number of the
particular encoded character you are trying to find. The next 10 columns are
the encoded characters

that you must search and match depending on what
position in the encoded password you are trying to find. An example is included
below for clarity. D 0 1 2 3 4 5 6 7 8 9 D 0 1 2 3 4 5 6 7 8 9 A N 1 O B 6 C P
2 Q D S F 8 G T 4

U H 9 I V B 6 C P 2 Q D 7 E R 3 T 4 U H 9 I V 5 W J
0 C P 2 Q D 7 E R 3 S F U H 9 I V 5 W J 0 K X D 7 E R 3 S F

8 G T 4 V 5 W J 0 K X Y L Z E R 3 S F 8 G T 4 U H W
J 0 K X Y L Z M A F 8 G T 4 U H 9 I V 5 X Y L Z M A N 1

O B G T 4 U H 9 I V 5 W J Y L Z M A N 1 O B 6 C H 9
I V 5 W J 0 K X Z M A N 1 O B 6 C P 2 I V 5 W J 0 K X Y L

0 K X Y L Z M A N 1 J 0 K X Y L Z M A N 1 O B 6 C P
2 Q D 7 E K X Y L Z M A N 1 O 2 Q D 7 E R 3 S F 8 G L

Z M A N 1 O B 6 C P 3 S F 8 G T 4 U H 9 I M A N 1 O
B 6 C P 2 Q 4 U H 9 I V 5 W J 0 K N 1 O B 6 C P 2 Q D 7 5

W J 0 K X Y L Z M O B 6 C P 2 Q D 7 E R 6 C P 2 Q D
7 E R 3 S P 2 Q D 7 E R 3 S F 8 7 E R 3 S F 8 G T 4 U Q

D 7 E R 3 S F 8 G T 8 G T 4 U H 9 I V 5 W R 3 S F 8
G T 4 U H 9 9 I V 5 W J 0 K X Y Y L Z M A N 1 O B 6 Lets say for example we
have 4IS28U5OB6 . The first character in the the string is a 4 , so search down
the 0 column until you find 4 and look at the D column for that row. It comes
out to be a T so your first decoded character is a T . Next is I .. search the
1 column for I which decodes to a H . Next is S , search 2 column to find E .
Search 3 column for 2 to find B .. search 4 column for 8 to find E .. and so on
and so on. The decoded string comes out to

THEBEST which is a very common PageNet password.
Any trailing spaces get dropped so the final password is THEBEST . It also
turns out that the PPS software stores it's service center passwords the same way.
It takes a bit of searching through the PPS execuatable files which support
service center but it's the exact same thing. They usually stand out like a
sore thumb. I hope this helps some people figure out what the passwords are
that they need. Also be careful of O (Oh) and 0 (zero) as they look very
similar. Enjoy! Jack

============================================================================

motorola u 9 How to decode Motorola pager passwords

Posted by Jack Ryan - 2009/04/06 07:40

_____________________________________

Question? This system will only work if you know
the pager password? I tried a Motorola Express Xtra from our store stock, I
already know the password, just to try if I can find it in Hex Workshop.

Thanks How can I sniff the password out? In example
two, you didn't actually read the pager. The pager wont allow a read till you
enter the right password. That's where this system falls short. Knowning how to
decode the passwords only helps if you can read the pager or have a codeplug of
that pager stored to disk. Jack P.S. sorry I haven't been

around. Work got busy again.

============================================================================

FireBoard

这篇老外的文章很有价值，

1） 
寻呼机的密码密文就是10个字母，不管你是输入1个还是10个字母。

2） 
寻呼机在用编码器读的时候，这些密码会被mcu（顾问机的u1）读的。当然是加密的码了。

3） 
这哥们做了个look-up-table来对应密文和原文。一共37*10=370个。就是说他至少试了370次。执着精神令我汗颜。

4） 
但是他也说了，只有知道了codeplug的内容才能得到原文。可咋能得到eeprom、的内容他没写。

5） 

基本的背景知识就知道这么多了，该如何解这个密码呢？

一．   
串口会把密码发给pc，让pc上的软件去比较么？

如果这样，就容易了。用la可以轻松地sniff到密文，然后查lookuptable就行了。但是motorola的工程师不会这么傻。用saleae观察，只发回了寻呼机的串号和inventory number。呵呵

二．   
在读寻呼机时，U1肯定读了u2的密文了。那就查spi通信吧。

写着99z16的就是mcu，右边的是u2，98j97。用0.1的漆包线焊spi的连线，接到la的测试夹上。从网上找到pps（pager programming software）是dos版本，没办法。当年没xp。不过用cmd命令可以运行，就是有时显示超时,多试几次就可以了。实际上开始的时候，我找了张以前的win98启动盘。在win98的dos没问题的。

Saleae最多能取1000m个samples，现在容量不是问题，可当我真的打开这些数据时，发现我的脑子不够用了。看来需要选个观察点。既然mcu读u2是发生在pc读寻呼机之后，那就只观察按了pps的f3 read a
pager之后。当我按saleae的start后，马上按pps的f3.这回数据好多了。

顺便说1句，当时觉得8位的la太够用了。其实spi就4条，usart有2条。看来下次买个16位的。呵呵。显然，图上2的时候pps给pager发读的信号了。Zoom in可以看清楚是43，50，50，90.协议分析也很方便啊。3的时候，pager返回0x50,表示有密码。0x4e无密码，0x44是disabledpager，0x42是unprogrammed pager。随后pager返回串号和inventory
#。随后的数据不知干什么的。

看来3之前的spi是关键数据了。那就Zoom in看看吧。

待续。。。。。。。。。

From pager 
00 eo,

From pc  

From pager 
11 00,10 00,c0 00,

From pc                 E2

From pager 
11 00,10 00,e5 00,

From pc                 22,

From pager 
11 01,10 00,ea 00,

From pc                 41,    A

From pager 
11 01,10 00,eb 00,

From pc                 4c,    L

From pager 
11 01,10 00,ec 00,

From pc                 5a,    Z

From pager 
11 01,10 00,ed 00,

rom pc                 4d,    M

From pager 
11 01,10 00,ee 00,

From pc                 41,    A

From pager 
11 01,10 00,ef 00,

From pc   
            4E,     N

From pager 
11 01,10 00,f0 00,

From pc    
            31,    1

From pager 
11 01,10 00,f1 00,

From pc                4f,     O

From pager 
11 01,10 00,f2 00,

From pc                 42,    B

From pager 
11 01,10 00,f3 00,

From pc    
            36,    6

Pc从pager读了12个bytes，按照Ryan的文章，其中10个为密码。哪10个是呢？前2个不是0-9，a-z和space 的范围内了。那就是后10个了。查那个lookuptable，和上面的ascii字母对应的原文是m和后面九个空格。确实，我输入的密码就是m。看来这就是密文了。如果在用编码器读寻呼机的时候用单片机读取spi数据，或者用单片机直接读这些地址的数据（C0,E5,EA….）就可以得到密文，再编个查表函数，应该可以得到密码原文了。截取和破译这个密码就这么简单。

三．我可不可以直接写个数据到u2，屏蔽密码使能呢？

待续。。。。。

继续研读Ryan的文章。从pager读出的是Motorola的s19文件。我把读出的信息在pps中用f4保存起来，这是1个文本文件，是258bytes。U2的Eeprom是256bytes。多出2个bytes。如果pc给pager编程时，确实发的这258或256bytes，也就是说没有再编码，而是明文，那么我只要把有密码和没有密码的文本比较一下，就知道需要改动什么了。（pps中有1个选项：password enable yes or no。其他都不用改，只要设成yes，寻呼机编程密码就会有效，设成no，就无效）

现在需要查看是不是发的就是s19的文件了。在按f4编程前按saleae的start，一直到pager鸣叫，编程结束。数据持续了9秒多，用的是200M samples。

1-2和读的时序是一致的，还是密码的密文，序列号，库单号。这时突然看到个现象，未设置密码的pager对0Xe5的回应是0X01,
而有密码的pager的回应是0x21或者0x22，23，24—28.是不是将来把0XE5写成0X01就可以屏蔽密码呢？

2-3是pc发给pager的，估计是要求pager返回eeprom的内容，也就是读命令了。

3-4是pager返回eeprom内容。我检查一下，就是那个s19的文件。研究它的时序，就可以用单片机读eeprom了。地址从0XC0-0XCF,  0XD0-0XDF, 0XE0-0XEF, 0XF0-0XFF. 前面有1个页选，11,00;
11,01;11,02;11,03, 算下来，一共16*4*4=256

4-5 是pc把要写的s19文件发给pager，发1个，pager返回1个给pc作验证。此时spi并没想eeprom写数据，因为所有的data全相同。

5-6肯定是spi写data了，因为时序很长。写是最慢的。

6-7是pager把写的eeprom内容又返回给pc作verify。从pps操作中可以看到编程最后显示校验正确。

三．1）

   读eeprom时序

首先肯定要摩仿读时序了。

这是最后校验是读的0XE8. 和在开始阶段相应pc读时的时序一致。

用m48编个小程序，读eeprom并通过uart传给pc，没问题。

三．2 write to
eeprom

The important step is how to write to
eeprom. It includes 3 parts:

A, which address should be written?

B, which data should be written?

C, the timing

I read Ryan paper. He mentioned that the
file written to pager is s19 file. If so, I can save 2 archives that are same
except 1 has password and another disables the password. I checked the archive
without password. The result is positive.

I compared these 2 archive files. The only
difference is in the file with password a byte is 21, another is 01. it looks
like 4d211cff or 4d011cff. Now I solved the problem C.

Next, I had to find the address.

Firstly, I thought the address is 0xe5
since if I set password in pager the mcu in pager reads 0xe5 when pc reads the
pager. Unfortunately, there is no 0xe5 in writing  . I tried to look for 0x21 but there are two
0x21 in the file. Afte spending some time, I found the position in saleae. The
address is 0x65. it seems that in reading the address is 0xe5 and 0x65 in
writing. (11100101, 01100101). The timing queue is

Mosi 11 80,10 06,65 21,10 07,      10 06, 10 02, 65 21, 10 03,     10 02,10 00

I wrote a simple c code to mega48 and sent
0x01 to address 0x65. even the pager has password, the password was disabled. The
only matter is that the pager is power on and mcu also send out data, sometime
the data conflicts with my dat. So I had to tried several times forexample, 10
times or dozen times.

Tips for hacking

1.      
熟悉各种被解密的设备的功能非常必要。寻呼机当输入密码错误时，会提示还有几次机会，从这里就可以发现那个地址是被评定为密码次数的。当然写也极可能就是这个地址。

2.      
大数据量的la可以方便的看出整个时序。利于对通讯的整体过程把握

3.      
其他人的数据有用。

PHASE TWO  Hack Scriptor pager

After hacking Advisor, I moved to hack
Scriptor pager.

I got an article from internet:

⒌旧版精英机（93、94版）
在读写码器上选择精英机，打开寻呼机将精英机专用解密线黑色的接地、黄色的接测试点P3、蓝色的接电容C024、BP机的R009接地，将BP机装上电池 插入读写码器，按解密键，解密灯亮，按F3读码，解密灯亮稍候开始闪烁，大约10秒钟后，解密灯熄灭，将BP机取下同时按住写码器上的小黑开关，按F3读 码，电脑屏幕出现寻呼机内部数据，记下密码。这里需注意的是，绝对不可以在解密状态下对寻呼机进行写码，如果写码需在焊下解密线以及读写码器复位后进行。

There is the
schematic from my old computer.

It looks like to
set the MCU in bootstrap mode which is a special mode of MC68hc11. I am pretty
sure the MCU is Motorola MCU (Freescale nowL) since Motorola had a MCU design branch
and why the pager designers did not use their own microcontroller. I check the
pin name “moda” “modb” they are the 68hc11 series. OK. I finished the 1^st
step: finding out the MCU type.

I scratched the
hacking procedure：Using bootstrap mode to down code to the
ram on hc11 then the code can execute and read the eeprom data or erase the
bulk (whole) data. If I can write this code, it is done.

I had to read the
68hc11 datasheet, M68HC11
Bootstrap Mode(an1060) and a book called m68hc11 原理与应用。Actually, I wrote code with c and tried to use
icc11 and http://www.hobby-lcd.com/68hc11/power_up.htm.
The problem was that I did not know the exact mcu part number. Is it hc11e9 or
a8 or??? Because I need the corresponding head file in C. So I had to use
assembly even it is difficult to me. There are few resources I could find. I
got a book: (Delmar) Technician's Guide to 68HC11
Microcontroller. I learned
more about assembly language of hc11. I even though thatI would use machine
language if I cannot find assembler.

I solder the
rst and modb, and serial port wires to LA and m48. The txd and rxd of hc11 in
Scriptor is connected together with series resistor r005 and r007 (see sch.). I
had to solder 2 wires to lead them out. I found 38.4 khz clk from hc11by dso.

Firstly I
wanted to read the com. data with PC when reading Scriptor, unfortunately the
pager was disabled. I do not know why and I checked the data after hacking when
powering up but no data coming. I analyzed the LA data; they included firmware
or software version, serial # and inventory # and 0x44 which means dead. Another
problem was the PPS runs wrong in WIN98 dos mode when I run 串口助手. The
actual baud rate was always set by 串口助手。The correct rate is 4800 not 1200

Because HC11
will send back serial data when receiving oxff followed by others (0xff will
not send back because it is for baud rate setting) in bootstrap mode. The baud
rate=e/16/16=38400/4/16/16=37.5, very slow. I programmed M48 to reset hc11 and send
0xff, 0x01,0x02…etc. then hc11 sent data back. The confusing thing was I
changed the sending baud rate; hc11 also could synchronize the rate. Then I
wrote a code to light a led connected with PA6 but failed. I doubted the hc11
number is right. Finally I
learned the ram in hc11 are not same for different part #. I sent 0x01 to 0x255
and lopped this. I found the data were 640 bytes long and no more coming
after this. Fine, the ram is 640B. I got a spec list of hc11 series and 68hck
series has 640B ram and pin layout also is as same as that in scriptor. Plus,
hc11k can synchronize the uart speed。Then I wrote light LED code revised from (Delmar) Technician's Guide to 68HC11
Microcontroller. I downloaded hc11demo (http://www.tec-i.com/wasm11.htm) and
mot2bin from internet. I used m48 to send the bin data to hc11k. This time it
was right and I saw the led on.

Finding
password

now I knew
the hc11 part# and had assembler. Everything was easy. I wrote code to send the
eeprom content and monitor by LA as below.

I compared 2
data flow which were programmed by different password. The encrypted passwords
are shown below. I could sniff the data and convert them to retrieve the
password using the lookup table shown before.

Erasing the eeprom

Since the whole eeprom can be erased using some commands. I
wrote code to erase all data. Internal clk 8mhz was used, e clk=2mhz. When I
read the content of eeprom after erasing, they were 0xff. Done!

Verification

I used PPS to read the scriptor. It showed unprogrammed.  

Tips for hacking

1. 对于scriptor这样的设备，用不到外部总线，这时必须知道mcu的型号，参数。我是依靠ram和管脚排列查到型号的。只知道他的系列还是不够的。

2.汇编语言是最基本的语言，如果不用机器码的话。应该是最保险的。