Results 1 to 21 of 21

Thread: Password sniffing an Icom 4163

  1. #1
    Join Date
    Apr 17, 2012
    Location
    Melbourne, Australia
    Posts
    85
    Thanks
    28
    Thanked 3 Times in 3 Posts
    Country: Australia

    Default Password sniffing an Icom 4163

    Puling my hair out still trying to get over this locked portable

    I am trying portmon as others here have said it is easy to use

    Tried on both win xpsp3 and win 7 64 bit and it always comes up NOT CONNECTED and I can ctrl e to get it to log

    What the heck am I missing ? The help file seems to tell me I am doing it right

    My usb cable is set for com 2 and I have tried several others to no avail

    Any clues appreciated
    Mike


  2. #2
    maxkelley No Longer Registered

    Default

    By locked, what exactly do you mean? There's obviously a radio power-on password, there's also the possibility of a programming/cloning password, and there's also the ability to keep programming data from being read from the radio (requiring you to write a brand-new blank file into the radio.)
    I am very familiar with the protocol used to write to/from these radios, and I am fairly familiar with the programming file data structure.

  3. #3
    Join Date
    Apr 17, 2012
    Location
    Melbourne, Australia
    Posts
    85
    Thanks
    28
    Thanked 3 Times in 3 Posts
    Country: Australia

    Default

    Quote Originally Posted by maxkelley View Post
    By locked, what exactly do you mean? There's obviously a radio power-on password, there's also the possibility of a programming/cloning password, and there's also the ability to keep programming data from being read from the radio (requiring you to write a brand-new blank file into the radio.)
    I am very familiar with the protocol used to write to/from these radios, and I am fairly familiar with the programming file data structure.
    Hi Max

    I cannot read the radio nor write to the radio due to not having the cloning password. For clarity again, these are my own radios that I purchased from a dealer using my own conventional analogue & in digital mode frequencies. The dealer has screwed me over and wants lots of $$'s to unlock my radios that he was paid to program in the first place.

    I have looked at the stuff going back and forth via the USB port with Portmon and no where is the password shown in plain text or hex

    If you have a way to bypass I would love to hear from you

    TIA
    Mike

  4. #4
    maxkelley No Longer Registered

    Default

    I've gotta play around with this a bit... My 3161 is currently out on loan, so I've gotta get it back before I can play with it

  5. #5
    Join Date
    Apr 17, 2012
    Location
    Melbourne, Australia
    Posts
    85
    Thanks
    28
    Thanked 3 Times in 3 Posts
    Country: Australia

    Default

    Quote Originally Posted by maxkelley View Post
    I've gotta play around with this a bit... My 3161 is currently out on loan, so I've gotta get it back before I can play with it
    +

    Hope you have more luck than me :-)

    Any help or thoughts will be greatfully received

  6. #6
    Join Date
    Apr 14, 2012
    Location
    Melbourne
    Posts
    50
    Thanks
    0
    Thanked 5 Times in 3 Posts

    Default

    G'day Mike, I had the same problem in the past with a M dealer who locked my radios with CPS I took the radios back and told him to unlock the radios or I will contact Consumer Affairs Victoria and the ACCC and you know what the radios ware Unlocked there and then


    So if I was you Mike I would contact Consumer Affairs first and have a chat to them before you speak to you dealer



    Consumer Affairs Victoria phone # 1300 55 81 81 www.consumer.vic.gov.au/


    ACCC phone # 1300302 502 www.accc.gov.au/

    All the best with that and let Us know how you go


    AK

  7. #7
    Join Date
    Apr 17, 2012
    Location
    Melbourne, Australia
    Posts
    85
    Thanks
    28
    Thanked 3 Times in 3 Posts
    Country: Australia

    Default

    Quote Originally Posted by k101 View Post
    G'day Mike, I had the same problem in the past with a M dealer who locked my radios with CPS I took the radios back and told him to unlock the radios or I will contact Consumer Affairs Victoria and the ACCC and you know what the radios ware Unlocked there and then


    So if I was you Mike I would contact Consumer Affairs first and have a chat to them before you speak to you dealer



    Consumer Affairs Victoria phone # 1300 55 81 81 www.consumer.vic.gov.au/


    ACCC phone # 1300302 502 www.accc.gov.au/

    All the best with that and let Us know how you go


    AK
    I will give CA a call first then :-)

    Be in touch with the progress

    Thanks for that
    Mike

  8. #8
    Join Date
    Feb 04, 2012
    Posts
    1,874
    Thanks
    180
    Thanked 668 Times in 303 Posts

    Default

    Icom software modifications are fair game if anyone has any.

  9. #9
    Join Date
    Apr 17, 2012
    Location
    Melbourne, Australia
    Posts
    85
    Thanks
    28
    Thanked 3 Times in 3 Posts
    Country: Australia

    Default

    Quote Originally Posted by mrtor View Post
    I will give CA a call first then :-)

    Be in touch with the progress

    Thanks for that
    Mike
    Well I have run Consumer Affairs Victoria and it would appear as though what they have done may not infact be illegal.

    They have asked me to document all of my case, provide the evidence I have via the emails back and forth and they will investigate it from there.

    They DID say, that if I go down this path that this may only serve to "P... Off" the supplier even more.

  10. #10
    Join Date
    Dec 12, 2011
    Location
    Avalon
    Posts
    1,211
    Thanks
    299
    Thanked 332 Times in 161 Posts
    Country: United States

    Default

    Try the Winhex method. Read the radio and when you get the password prompt open winhex and go to open ram, then look for what may be the password.

  11. #11
    Join Date
    Apr 17, 2012
    Location
    Melbourne, Australia
    Posts
    85
    Thanks
    28
    Thanked 3 Times in 3 Posts
    Country: Australia

    Default

    Quote Originally Posted by Magnus View Post
    Try the Winhex method. Read the radio and when you get the password prompt open winhex and go to open ram, then look for what may be the password.
    Thank you Magnus, that will be my afternoon project :-)

    Be in touch on success &/or otherwise

  12. #12
    Join Date
    Apr 17, 2012
    Location
    Melbourne, Australia
    Posts
    85
    Thanks
    28
    Thanked 3 Times in 3 Posts
    Country: Australia

    Default

    Quote Originally Posted by mrtor View Post
    Thank you Magnus, that will be my afternoon project :-)

    Be in touch on success &/or otherwise
    3 hrs in and I thought I had made some progress. I have been playing with a matea radio witnout a password so we had something we could put a known password in an then look at what was happenig. Found patterns and could search for the hex and plain text versions of the known password.

    Then tried the locked radios and we failed in our attempts.

    From what i have found it appears as though many of the known password hits in winhex were as a result of me doing multiple searches and stopping and staring winhex each time.

    Thanks for the suggesion, still looking for an answer

  13. #13
    motorolanovice No Longer Registered

    Default

    Quote Originally Posted by mrtor View Post
    3 hrs in and I thought I had made some progress. I have been playing with a matea radio witnout a password so we had something we could put a known password in an then look at what was happenig. Found patterns and could search for the hex and plain text versions of the known password.

    Then tried the locked radios and we failed in our attempts.

    From what i have found it appears as though many of the known password hits in winhex were as a result of me doing multiple searches and stopping and staring winhex each time.

    Thanks for the suggesion, still looking for an answer
    I have used winhex to get many passwords heres how i do it.

    open the icom software
    now start the winhex program and open the ram. Make sure its in text display only.
    read radio when it promps for a password type in something you know IS NOT IN THE RADIO like "mrtorisasexybeast"
    now search in winhex for mrtorisasexybeast it will show up in about 3 or 4 places
    heres the trick around those locations it finds will be the correct password
    I know this sounds like a ****ty way to do it but I use it all the time and it works.

    I hope this helps.

  14. #14
    Join Date
    Apr 17, 2012
    Location
    Melbourne, Australia
    Posts
    85
    Thanks
    28
    Thanked 3 Times in 3 Posts
    Country: Australia

    Default

    Quote Originally Posted by motorolanovice View Post
    I have used winhex to get many passwords heres how i do it.

    open the icom software
    now start the winhex program and open the ram. Make sure its in text display only.
    read radio when it promps for a password type in something you know IS NOT IN THE RADIO like "mrtorisasexybeast"
    now search in winhex for mrtorisasexybeast it will show up in about 3 or 4 places
    heres the trick around those locations it finds will be the correct password
    I know this sounds like a ****ty way to do it but I use it all the time and it works.

    I hope this helps.
    Well you are a bloody genius ! Thank you, thank you, thank you.... That worked a treat

    And after all that, guess what this scumbag set my password at ?

    FU_KY_U

    So I don't offend, I left out the C and the O above, I think you get the picture.

    Well victory to me, now I am going to email this bloke and tell him his own password back :-)

    Thank you again, I owe you a couple of beers for getting me to this brilliant result

    Cheers
    Mike

  15. #15
    motorolanovice No Longer Registered

    Default

    Its ok mate were all here to help each other. Im just glad you can now program your radios.

  16. #16
    wonky No Longer Registered

    Default

    Quote Originally Posted by mrtor View Post
    And after all that, guess what this scumbag set my password at ?

    FU_KY_U

    Mike
    A bloody dealer did that!!! For the rest of us in Aus, can you advise perhaps in general terms and not specific to the above example of a dealer you would NOT recommend people deal with please!

  17. #17
    Join Date
    Dec 12, 2011
    Location
    Avalon
    Posts
    1,211
    Thanks
    299
    Thanked 332 Times in 161 Posts
    Country: United States

  18. #18
    maxkelley No Longer Registered

    Default

    That's awesome, glad you beat me to it! It would be interesting to see if the "read from radio" lockout is also defeatable in software this way...

  19. #19
    Join Date
    Feb 04, 2012
    Posts
    1,874
    Thanks
    180
    Thanked 668 Times in 303 Posts

    Default

    it probably is. Since the CPS reads the PW from the radio it should be a matter of locating the comparer function and bypassing it. I havent looked at Icom software so I dont know what language its written in. The edit should be a code change from "if not equal" to a "is equal to".

  20. #20
    maxkelley No Longer Registered

    Default

    Well, there's a feature that prevents the radio from being read, only allows it to be written to with a blank/new file, so it doesn't matter whether or not you have a password. Like I said, I'll have to look into it.

  21. #21
    TheWizard No Longer Registered

    Default

    Reviving an older thread. I have an ICOM F5061D and F3161DT. The 3161 is password protected and I do now know what it is, the 5061 is not, but I can add a password/whatever.

    I've downloaded the winhex program and have read the ram, basically following the above instructional. When I get to the prompt and read then RAM, then enter the wrong password, I cannot search for it and find it....this requires a reload of the RAM. I've gotten to the prompt and entered an incorrect password, the searched the RAM for it, and I find two instanced. In the case of the F5061 where I've set a passowrd and then entered an incorrect one, I see nothing around it in the RAM dump resembling the correct password. A search for the correct one brings up nothing.

    Seeing as how several have had it work for them, maybe they can give me some insight as to what I'm doing wrong.

    Is there a real-time RAM viewer, and if not, when is the optimal time to read the RAM for the program and expect to see my answer?