Page 1 of 2 12 LastLast
Results 1 to 25 of 38

Thread: Codeplug password

  1. #1
    Join Date
    Mar 03, 2012
    Posts
    60
    Thanks
    13
    Thanked 65 Times in 24 Posts
    Country: United States

    Default Codeplug password

    Has anybody figured out how to get around the codeplug password in TRBO CPS (I'm using 7.5)? So far I have programmed a radio with a known password value and used winhex to sniff the memory when the password prompt comes up. I found my password a couple of times, but I think it may have been left over from when I entered it into the form field to set it. When I restart CPS and read the radio, I can't find my password anywhere. It seems like a lot of text is stored with spaces in between, so I've tried that, and tried searching on partial strings, but to no avail.


  2. #2
    Join Date
    Dec 12, 2011
    Location
    Avalon
    Posts
    1,198
    Thanks
    302
    Thanked 333 Times in 165 Posts
    Country: United States

    Default

    You need to use wireshark to sniff the network traffic between the radio and pc. The password is in plain text in one of the packets from the radio and I remember its located near the radio name which is by default "Motorola". The password will be in unicode so if the password was "password" it would look like this "p.a.s.s.w.o.r.d."

  3. #3
    Join Date
    Feb 04, 2012
    Posts
    1,608
    Thanks
    65
    Thanked 300 Times in 150 Posts

    Default

    I believe that a program called portmon will also sniff the traffic. It is a lot easier to run than is wireshark.

  4. #4
    Join Date
    Mar 03, 2012
    Posts
    60
    Thanks
    13
    Thanked 65 Times in 24 Posts
    Country: United States

    Default

    Thanks guys. I used wireshark and it was no problem. I'm in the process of writing up a quick tutorial to post here with screenshots.

  5. #5
    Join Date
    Dec 12, 2011
    Location
    Avalon
    Posts
    1,198
    Thanks
    302
    Thanked 333 Times in 165 Posts
    Country: United States

    Default

    Cool thanks for contributing to the site! I look forward to reading it.

  6. #6
    Join Date
    Feb 04, 2012
    Posts
    1,608
    Thanks
    65
    Thanked 300 Times in 150 Posts

    Default

    me too it weouls make a nice document for the library.

  7. #7
    Join Date
    May 20, 2012
    Location
    Snowy Russia
    Posts
    194
    Thanks
    31
    Thanked 34 Times in 19 Posts
    Country: Russian Federation

    Default

    [Note: I copied/moved this post to the related thread. Please continue conversation on ASTRO25 radios there - Mars]

    Hi everyone!
    I wonder whether this trick would work with XTS2500/5000 radios. I tried to connect my XTS2500 with an USB cable and run the Wireshark. The PC recognises the radio OK, but Wireshark won't see it.
    The step-by-step manual for detecting the password would be much appreciated.
    Thanks in advance!

  8. #8
    Join Date
    Dec 21, 2011
    Posts
    4,051
    Thanks
    2,964
    Thanked 5,774 Times in 1,707 Posts
    Country: Canada

    Default

    Please note the Motorola ASTRO25 codeplug bypass discussion has been moved. Please read the note in the above post, before replying. THANK YOU.

  9. #9
    jlm59 No Longer Registered

    Default CPS 8.0

    Quote Originally Posted by 16b View Post
    Thanks guys. I used wireshark and it was no problem. I'm in the process of writing up a quick tutorial to post here with screenshots.
    Am using CPS 8.0 and see the traffic with wireshark but I cannot see a password.
    Any ideas

  10. #10
    Join Date
    Dec 12, 2011
    Location
    Avalon
    Posts
    1,198
    Thanks
    302
    Thanked 333 Times in 165 Posts
    Country: United States

    Default

    The password is in plain unicode text shortly after the radio name in a packet.

  11. #11
    Join Date
    Feb 04, 2012
    Posts
    1,608
    Thanks
    65
    Thanked 300 Times in 150 Posts

    Default

    The pass word will be formatted X.X.X.X.X. so look for something liike this if Pw is NOTAROLA, N.O.T.A.R.O.L.A in the ascii dump feild.

  12. #12
    Join Date
    Aug 06, 2012
    Location
    Ontario, Canada
    Posts
    625
    Thanks
    106
    Thanked 180 Times in 92 Posts
    Country: Canada

    Default

    I find that if you stop capturing with Wireshark as soon as the box asking for the password pops up, it's easier to find (it should be in one of the last few packets logged at that point). I can post an example of what you are looking for later on if it's any help.

  13. #13
    Ubermcoupe No Longer Registered

    Default

    Quote Originally Posted by Forts View Post
    I find that if you stop capturing with Wireshark as soon as the box asking for the password pops up, it's easier to find (it should be in one of the last few packets logged at that point). I can post an example of what you are looking for later on if it's any help.
    Hey all,

    I recently picked up a XPR6350 UHF2 and was (unfortunately) met with a CPS prompt. I’ve tried utilizing wireshark (per the instructions above) and have been unsuccessful so far. I’ve saved the wireshark file (42 lines), could someone help me comb through it or point me in the right direction?

    Thanks,

  14. #14
    Join Date
    Aug 06, 2012
    Location
    Ontario, Canada
    Posts
    625
    Thanks
    106
    Thanked 180 Times in 92 Posts
    Country: Canada

    Default

    I'll take a look at them if you like. You can send the logs to forts2@gmail.com.

  15. #15
    Ubermcoupe No Longer Registered

    Default

    Forts,

    I appreciate it. I just sent them your way.

  16. #16
    Join Date
    Aug 06, 2012
    Location
    Ontario, Canada
    Posts
    625
    Thanks
    106
    Thanked 180 Times in 92 Posts
    Country: Canada

    Default

    Any luck? Did you get my email reply with the suggested password?

  17. #17
    Ubermcoupe No Longer Registered

    Default

    Quote Originally Posted by Forts View Post
    Any luck? Did you get my email reply with the suggested password?

    Forts,

    It worked great! Not sure how I missed it and sorry for the delay in response.

    -UMC

  18. #18
    stumbler No Longer Registered

    Default

    Codeplug on Hard Disk - WinHex, HxD, etc.

    Codeplug in radio - Wireshark

  19. #19
    Join Date
    Dec 12, 2011
    Location
    Avalon
    Posts
    1,198
    Thanks
    302
    Thanked 333 Times in 165 Posts
    Country: United States

    Default

    Quote Originally Posted by mantoch View Post
    Codeplug on Hard Disk - WinHex, HxD, etc.
    The codeplug is encrypted on disk.

  20. #20
    Join Date
    Jun 12, 2012
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    </RC_CPPASSWORD>,Hxd,Search this byte.

  21. #21
    Join Date
    Apr 01, 2013
    Posts
    121
    Thanks
    2
    Thanked 41 Times in 17 Posts

    Default

    So I start Wireshark, select the interface and hit CAPTURE.
    Go to TRBO CPS and attempt to read a codeplug passworded radio.
    Get the prompt for password in CPS.....then stop packet capture.
    I should see the password in the packets somewhere?

    ie P.A.S.S.W.O.R.D. for PASSWORD

    I assume its case sensitive too!?!?!?



    Quote Originally Posted by Ubermcoupe View Post
    Forts,

    It worked great! Not sure how I missed it and sorry for the delay in response.

    -UMC

  22. #22
    com501's Avatar
    com501 is offline T S - Moderator
    CS Forums $upporter
    Join Date
    Jan 18, 2013
    Location
    In Your Network
    Posts
    2,324
    Thanks
    1,716
    Thanked 1,427 Times in 722 Posts
    Country: United States

    Default

    Yes, it is case sensitive, and accepts pretty much any ASCII characters.
    Retarded Mongoloid on PCP...

  23. #23
    Join Date
    Dec 12, 2011
    Location
    Avalon
    Posts
    1,198
    Thanks
    302
    Thanked 333 Times in 165 Posts
    Country: United States

    Default

    Yes, it is after the radio name which by default is Motorola. If you can't find it, zip your capture and post it here, I will write up a tutorial in finding it.

  24. #24
    Join Date
    Aug 06, 2012
    Location
    Ontario, Canada
    Posts
    625
    Thanks
    106
    Thanked 180 Times in 92 Posts
    Country: Canada

    Default

    It will be in the largest packet which should be right near the end of the capture log (assuming you stop the capture as soon as the CPS asks for the password). In the saved capture files that I have, the packet length was always 394, but your mileage may vary.

    Here are the contents of the packet:

    Code:
    0000   0a 00 3e db 0a ee 0a 00 3e 76 91 54 08 00 45 00  ..>.....>v.T..E.
    0010   01 7c 00 61 00 00 40 06 e3 c7 c0 a8 0a 01 c0 a8  .|.a..@.........
    0020   0a 02 1f 42 09 09 00 01 47 ce b7 66 0e 7f 50 18  ...B....G..f..P.
    0030   08 60 e8 d1 00 00 01 52 00 0b 01 07 00 03 00 06  .`.....R........
    0040   04 0a 01 46 81 00 00 80 00 0a 00 00 01 38 00 00  ...F.........8..
    0050   01 38 27 30 18 bc 62 f1 01 04 14 06 03 18 06 08  .8'0..b.........
    0060   1e 05 03 48 42 0f 00 55 5d 63 69 6f fa fa fb fb  ...HB..U]cio....
    0070   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    0080   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    0090   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00a0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00b0   a4 40 0e 50 24 0a c4 80 0a 0a 02 09 06 10 00 31  .@.P$..........1
    00c0   00 32 00 32 00 31 00 00 00 00 00 00 00 00 03 e8  .2.2.1..........
    00d0   14 00 16 63 00 31 00 32 00 36 00 00 00 00 00 00  ...c.1.2.6......
    00e0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00f0   00 00 00 00 00 00 22 60 ff ff ff 04 08 02 75 19  ......"`......u.
    0100   00 65 00 6e 00 2d 00 75 00 73 00 00 00 00 00 00  .e.n.-.u.s......
    0110   01 90 ff f4 00 00 00 06 00 00 ff f4 00 00 00 06  ................
    0120   00 00 ff f4 00 00 00 12 00 00 fd 20 00 00 fd 40  ........... ...@
    0130   00 00 00 00 00 00 00 00 00 00 00 46 01 90 4c 57  ...........F..LW
    0140   02 0a 01 2c 00 3c 1e d2 05 01 00 46 01 2c 1f 42  ...,.<.....F.,.B
    0150   62 11 05 f4 00 19 00 46 00 00 00 00 00 00 20 50  b......F...... P
    0160   8a a8 00 3c fa fa 16 32 fb fb 00 02 7c 5e 00 00  ...<...2....|^..
    0170   12 ce 0f 1e 00 24 0a 0a 04 00 85 74 17 48 00 58  .....$.....t.H.X
    0180   0a 00 00 00 00 00 00 00 00 00                    ..........
    I always look for the 'u.e.n.-.u.s' text so I know I'm in the right ballpark. In this example the password is 1221 and the radio name is c126. If you try this with your own radio the password and radio name will jump right out at you... makes it a little easier to know what you are looking for.
    Last edited by Notarola; Jul 11, 2013 at 01:11 PM. Reason: highlighted code

  25. #25
    Join Date
    Apr 01, 2013
    Posts
    121
    Thanks
    2
    Thanked 41 Times in 17 Posts

    Default

    ok thanks all....I'll give it a whirl