Page 1 of 2 12 LastLast
Results 1 to 25 of 26

Thread: Any help w/ a WRITE-protected TK-8180?

  1. #1
    Join Date
    May 23, 2012
    Posts
    37
    Thanks
    20
    Thanked 0 Times in 0 Posts

    Default Any help w/ a WRITE-protected TK-8180?

    Got a couple of write-protected TK-8180s...
    Like to avoid sending these to KW as they charge $$$. Not really worth it to me unless I can unlock
    them myself. Otherwise they're shelf-warmers.... (this model you can't just write a fresh cp like the older ones)

    Anyone know a work-around?


  2. #2
    Join Date
    Dec 12, 2011
    Location
    Avalon
    Posts
    1,198
    Thanks
    302
    Thanked 333 Times in 165 Posts
    Country: United States

    Default

    Do you have any that are not write protected? If so you can set a known password and then read the radio and snoop through the memory with WinHex's open ram option looking for the known password. See if you can find it and identify some data around it. Then repeat with the radio with the unknown password and see if you can locate it.

  3. #3
    Join Date
    May 23, 2012
    Posts
    37
    Thanks
    20
    Thanked 0 Times in 0 Posts

    Default

    Doh! Brilliant! Now I have to acquire another unit, but I think I just might know where one is.... Thanks!

    I'll advise success/failure when I have something to report.


    Quote Originally Posted by Magnus View Post
    Do you have any that are not write protected? If so you can set a known password and then read the radio and snoop through the memory with WinHex's open ram option looking for the known password. See if you can find it and identify some data around it. Then repeat with the radio with the unknown password and see if you can locate it.

  4. #4
    Join Date
    Feb 27, 2012
    Location
    Raven Rock
    Posts
    121
    Thanks
    87
    Thanked 10 Times in 9 Posts

    Default

    There is a hack which I dont have in front of me which will allow engineer mode and can read without a password.

  5. #5
    Join Date
    Apr 17, 2012
    Location
    Melbourne, Australia
    Posts
    85
    Thanks
    29
    Thanked 3 Times in 3 Posts
    Country: Australia

    Default

    I would love to find out about this "Engineer Mode" also please

  6. #6
    Join Date
    Feb 12, 2012
    Location
    Directly above the center of the earth.
    Posts
    2,478
    Thanks
    519
    Thanked 1,091 Times in 570 Posts
    Country: Christmas Island

    Default

    I seem to remember hearing it involved installing the software with a "special" key that enabled "Engineer Mode". I guess you'd have to reinstall the software and give it the alternate key during installation. There might be a way to enter a key after installation but IIRC it's entered during the software installation. Some of the KW softs use the special key, some do not from what I have heard. I don't have the keys, unfortunately. I used to work for a legit KW dealer but we only had regular normal dealer keys at the time. I only heard about the special ones later on, but have never personally confirmed them.

  7. #7
    Join Date
    May 23, 2012
    Posts
    37
    Thanks
    20
    Thanked 0 Times in 0 Posts

    Default

    Quote Originally Posted by medic550 View Post
    There is a hack which I dont have in front of me which will allow engineer mode and can read without a password.
    I'm still planning on snooping with Winhex but PLEASE let us know if you find another method...

  8. #8
    Neo No Longer Registered

    Default

    I use olydbg and nop past the password. Once the cp is opened, the password is revealed in the cps.

    Many ways to get past the password. No reason for these radios to be shelf warmers!

  9. #9
    Join Date
    May 23, 2012
    Posts
    37
    Thanks
    20
    Thanked 0 Times in 0 Posts

    Default

    Quote Originally Posted by Neo View Post
    I use olydbg and nop past the password. Once the cp is opened, the password is revealed in the cps.

    Many ways to get past the password. No reason for these radios to be shelf warmers!
    Can you explain a bit more? (I can't read the codeplug either- I was originally hoping to just overwrite with a fresh blank codeplug
    but that's blocked as well)

  10. #10
    GS4 is offline Inactive CS Forums $upporter
    Join Date
    Dec 25, 2011
    Posts
    80
    Thanks
    2
    Thanked 4 Times in 3 Posts

    Default

    If you can't find a way around drop me a note to GS4 at p25.ca I can help you out but I would need the radios.

    GS

  11. #11
    Join Date
    May 23, 2012
    Posts
    37
    Thanks
    20
    Thanked 0 Times in 0 Posts

    Default

    Quote Originally Posted by GS4 View Post
    If you can't find a way around drop me a note to GS4 at p25.ca I can help you out but I would need the radios.

    GS
    I will! Let me try the other bit first and if I fail, you'll likely be hearing from me.....

  12. #12
    Join Date
    Aug 21, 2012
    Posts
    4
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Default

    This may have already been mentioned, but if you have a valid 8180 file, try and write it to the radio. I had to do this last weekend for a fire department with write protected NX-800's. It worked well after that. I could assign another password and setup security parameters after the write.

  13. #13
    GS4 is offline Inactive CS Forums $upporter
    Join Date
    Dec 25, 2011
    Posts
    80
    Thanks
    2
    Thanked 4 Times in 3 Posts

    Default

    Quote Originally Posted by sierra2way View Post
    This may have already been mentioned, but if you have a valid 8180 file, try and write it to the radio. I had to do this last weekend for a fire department with write protected NX-800's. It worked well after that. I could assign another password and setup security parameters after the write.

    This will not work when there is a WRITE PROTECT password, the radio you were working with most likely had a READ password.

    GS

  14. #14
    Join Date
    Apr 18, 2012
    Location
    Acworth,Ga (North Cobb) BEAT 411 Z1/Z1/Station 26
    Posts
    10
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    if this person still has the 8180 locked please email me at k4svt@me.com

  15. #15
    com501's Avatar
    com501 is offline T S - Moderator
    CS Forums $upporter
    Join Date
    Jan 18, 2013
    Location
    In Your Network
    Posts
    2,325
    Thanks
    1,716
    Thanked 1,428 Times in 722 Posts
    Country: United States

    Default

    Bob, are these from Burning Man by chance?? Call me in my office in Reno tomorrow anyway, I may know where you got them, and probably have the password.

  16. #16
    Join Date
    Feb 04, 2012
    Posts
    1,608
    Thanks
    65
    Thanked 300 Times in 150 Posts

    Default

    Quote Originally Posted by K4SVT5415 View Post
    if this person still has the 8180 locked please email me at k4svt@me.com
    These forums are based on the open discussion of issues and fixes. Your post looks like you may have a private fix, I apologise if I am wrong. We try to avoid private fixes. In com501 case it is obvious he is just trying to aviod openly posting a password for an customer. The original post was looking for a software mod or a port monitoring method to hopefully extract the PW and allow reprogramming. This information would be usefull to everyone.

  17. #17
    com501's Avatar
    com501 is offline T S - Moderator
    CS Forums $upporter
    Join Date
    Jan 18, 2013
    Location
    In Your Network
    Posts
    2,325
    Thanks
    1,716
    Thanked 1,428 Times in 722 Posts
    Country: United States

    Default

    This brings up an interesting point, in that I did have one of these radios a couple of years back that I couldn't open. The KW tech emailed me a file to open the radio with that overwrote the password and also defaulted the radio to 'unprogrammed'. I will see if I can find that file. It was based on the serial number somehow as I recall and since it was for a public safety entity and was time sensitive they did it without sending the radio to the factory.

    In the meantime, I'm going to poke around with the portmon stuff and see if anything pokes up. Bob and I go way back, he didn't know I was still around. We're going to play with this and if we find anything one way or another we'll start a thread.


    And PLEASE, if anyone else has already bumped their noggins on this, since KWs aren't as well circulated as Motorola password hacks, feel free to post your findings in a new thread.

  18. #18
    Join Date
    Feb 12, 2012
    Location
    Directly above the center of the earth.
    Posts
    2,478
    Thanks
    519
    Thanked 1,091 Times in 570 Posts
    Country: Christmas Island

    Default

    It's been a while but IIRC, like GS4 said, you may have had a radio that was only read protected. You can dump in a non-passworded codeplug if the radio is set up with just the read password. If it's write protected you're screwed since you can't overwrite the memory with a new unprotected image.

  19. #19
    Join Date
    Apr 18, 2012
    Location
    Acworth,Ga (North Cobb) BEAT 411 Z1/Z1/Station 26
    Posts
    10
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    k4svt@me.com please email me Notarola thanks

  20. #20
    Join Date
    Feb 04, 2012
    Posts
    1,608
    Thanks
    65
    Thanked 300 Times in 150 Posts

    Default

    Quote Originally Posted by K4SVT5415 View Post
    k4svt@me.com please email me Notarola thanks
    you may PM me

  21. #21
    Join Date
    Apr 18, 2012
    Location
    Acworth,Ga (North Cobb) BEAT 411 Z1/Z1/Station 26
    Posts
    10
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    you have been PM'd Notarola

  22. #22
    com501's Avatar
    com501 is offline T S - Moderator
    CS Forums $upporter
    Join Date
    Jan 18, 2013
    Location
    In Your Network
    Posts
    2,325
    Thanks
    1,716
    Thanked 1,428 Times in 722 Posts
    Country: United States

    Default

    If you know a work around, are you going to share it? We're still working this issue via email. I should have the suspect radios in my hands in a day or two if the file of passwords I have doesn't work. In the meantime, I do have somewhere a hack sent by KW if I can find it in my old emails. I'll post what we find on this.

  23. #23
    Join Date
    Apr 18, 2012
    Location
    Acworth,Ga (North Cobb) BEAT 411 Z1/Z1/Station 26
    Posts
    10
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    com501 you have been PM'd

  24. #24
    Join Date
    May 22, 2012
    Posts
    592
    Thanks
    193
    Thanked 232 Times in 118 Posts
    Country: United States

    Default

    What the hell is all this secret squirrel crap?

  25. #25
    com501's Avatar
    com501 is offline T S - Moderator
    CS Forums $upporter
    Join Date
    Jan 18, 2013
    Location
    In Your Network
    Posts
    2,325
    Thanks
    1,716
    Thanked 1,428 Times in 722 Posts
    Country: United States

    Default

    I'm still working on this. It is apparent from looking at the codeplug that if you write all FFs where the password is supposed to go, and you have the matching serial number of the radio embedded in the codeplug it will erase the password when written to the radio. I'm haven't started working the method of serial number encryption yet (the password is plain text), nor have I looked at the serial traffic between the radio, nor have I looked at the software to see where it calls the password function to bypass it. When I come up with anything else, I will probably share it if it is something that anyone could easily discover and doesn't compromise proprietary information that could jeopardize MY job. This can't be any more complicated than a Trbo password or a CDM password. I just don't have a great deal of time, and not having any x180 radios at my disposal to play with at the moment makes it difficult.

    The previous poster has some ideas, but chooses to not risk his employment.