Codeplug password

hoser · Jul 10, 2013

So I start Wireshark, select the interface and hit CAPTURE.
Go to TRBO CPS and attempt to read a codeplug passworded radio.
Get the prompt for password in CPS.....then stop packet capture.
I should see the password in the packets somewhere?

ie P.A.S.S.W.O.R.D. for PASSWORD

I assume its case sensitive too!?!?!?

Ubermcoupe said:
Forts,

It worked great! Not sure how I missed it and sorry for the delay in response.

-UMC

com501 · Jul 10, 2013

Yes, it is case sensitive, and accepts pretty much any ASCII characters.

Magnus · Jul 10, 2013

Yes, it is after the radio name which by default is Motorola. If you can't find it, zip your capture and post it here, I will write up a tutorial in finding it.

Forts · Jul 10, 2013

It will be in the largest packet which should be right near the end of the capture log (assuming you stop the capture as soon as the CPS asks for the password). In the saved capture files that I have, the packet length was always 394, but your mileage may vary.

Here are the contents of the packet:

Code:

0000   0a 00 3e db 0a ee 0a 00 3e 76 91 54 08 00 45 00  ..>.....>v.T..E.
0010   01 7c 00 61 00 00 40 06 e3 c7 c0 a8 0a 01 c0 a8  .|.a..@.........
0020   0a 02 1f 42 09 09 00 01 47 ce b7 66 0e 7f 50 18  ...B....G..f..P.
0030   08 60 e8 d1 00 00 01 52 00 0b 01 07 00 03 00 06  .`.....R........
0040   04 0a 01 46 81 00 00 80 00 0a 00 00 01 38 00 00  ...F.........8..
0050   01 38 27 30 18 bc 62 f1 01 04 14 06 03 18 06 08  .8'0..b.........
0060   1e 05 03 48 42 0f 00 55 5d 63 69 6f fa fa fb fb  ...HB..U]cio....
0070   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0080   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0090   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00a0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00b0   a4 40 0e 50 24 0a c4 80 0a 0a 02 09 06 10 00 31  .@.P$..........1
00c0   00 32 00 32 00 31 00 00 00 00 00 00 00 00 03 e8  .2.2.1..........
00d0   14 00 16 63 00 31 00 32 00 36 00 00 00 00 00 00  ...c.1.2.6......
00e0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00f0   00 00 00 00 00 00 22 60 ff ff ff 04 08 02 75 19  ......"`......[COLOR=#ff0000]u.
0100   00 65 00 6e 00 2d 00 75 00 73 00 00 00 00 00 00  .e.n.-.u.s[/COLOR]......
0110   01 90 ff f4 00 00 00 06 00 00 ff f4 00 00 00 06  ................
0120   00 00 ff f4 00 00 00 12 00 00 fd 20 00 00 fd 40  ........... ...@
0130   00 00 00 00 00 00 00 00 00 00 00 46 01 90 4c 57  ...........F..LW
0140   02 0a 01 2c 00 3c 1e d2 05 01 00 46 01 2c 1f 42  ...,.<.....F.,.B
0150   62 11 05 f4 00 19 00 46 00 00 00 00 00 00 20 50  b......F...... P
0160   8a a8 00 3c fa fa 16 32 fb fb 00 02 7c 5e 00 00  ...<...2....|^..
0170   12 ce 0f 1e 00 24 0a 0a 04 00 85 74 17 48 00 58  .....$.....t.H.X
0180   0a 00 00 00 00 00 00 00 00 00                    ..........

I always look for the 'u.e.n.-.u.s' text so I know I'm in the right ballpark. In this example the password is 1221 and the radio name is c126. If you try this with your own radio the password and radio name will jump right out at you... makes it a little easier to know what you are looking for.

hoser · Jul 10, 2013

ok thanks all....I'll give it a whirl

bg4wsw · Jul 14, 2013

Codeplug password :123456 (S3250C06DCC00F52240AC4800A2A020906100031003200330034003500360000000003E800007D)

no7rf · Jul 15, 2013

16b said:
Has anybody figured out how to get around the codeplug password in TRBO CPS (I'm using 7.5)? So far I have programmed a radio with a known password value and used winhex to sniff the memory when the password prompt comes up. I found my password a couple of times, but I think it may have been left over from when I entered it into the form field to set it. When I restart CPS and read the radio, I can't find my password anywhere. It seems like a lot of text is stored with spaces in between, so I've tried that, and tried searching on partial strings, but to no avail.

WinHEX works best on the CPS Image in RAM. It is handy to do a few dry runs first so you get used what to look for and where.

You might try a different plug or enter a test PW like 12345678 and then search for it using WH. As I recall, the PW will be there in order but will have a dot sandwiched between the digits of the PW.

Forts · Jul 15, 2013

I've never had luck with Winhex... Wireshark has never let me down however.

com501 · Jul 15, 2013

This is a networked device. As mentioned, you want to use Wireshark.

Eaton · Nov 6, 2013

Hi there!
There we go, I was lucky enough :bang: to purchase a password-protected DP4401.
I know I need to use Wireshark, however when I launch it I'm not able to see my radio in the list of available interfaces (of course it is turned on and connected to a "real" USB-port). The PC recognizes the radio well and CPS starts reading it but later pops up with a "enter password" screen.

What am I doing wrong?
Is there a way to overwrite the passworded codeplug without reading it first?

Notarola · Nov 6, 2013

The best way to confirm you have the radio connected and that wireshark can see it is to run wireshark with no radio connected and write down all the networks found. Then run wire share with the radio connected (and turned on) and write down all the networks again. Any new network in the list will be the radio.

Eaton · Nov 6, 2013

What I have figured out is that if I connect gen1 TRBO radio the Wireshark sees it properly, if I connect the gen2 radio (which is passworded) the Wireshark won't see it.

Of course there's a way to crash down the existing codeplug (as well as the password in it) by cloning to radio from a sample file but I have a habit to save a "legacy" codeplug from the used radios I lay my hands on and, secondly, I'm curios of what is so protected might be in my radio

Is there a way to modify TRBO CPS to make it ignore 5he password (just like Astro25 CPS)?
Or is it possible to save a codeplug from the radio without entering a password first? I guess there's a nice way to analyze the saved codeplug...

com501 · Nov 6, 2013

Do you have a Gen 2 programming cable?? If your cable isn't seeing the device, it won't establish a network connection.

Make sure you look in your network properties to insure that it hasn't been rejected or disabled.

DES-AJ · Nov 6, 2013

Has anyone determined if this is the same with the APX's yet? I haven't had any luck so far.

Magnus · Nov 6, 2013

It does not work with the APX.

DES-AJ · Nov 6, 2013

Damn... I guess it's buyer beware if you come across one thats protected...

Eaton · Nov 14, 2013

Oh, I’ve made it! Now I will go through all the points to save someone helluva nerves!

First, the Wireshark is only able to “see” interfaces when it is run in Admin mode (you must be logged in to your PC as Admin or a user with admin’s rights).

Second, if this is the first time you connect the particular radio to the PC (“new device found”) message pops up, you MUST restart your computer to let Wireshark detect it as an interface.

Now here we go. Start the Wireshark and select your MotoTRBO radio to capture. The screen will begin to fill with the captured data lines. Better note the last several lines before proceeding to the following step (you may not look through them further when looking for the password).
Then fire up the TRBO CPS. As soon as it’s up and walkin hit the “Read” button. Wait for the input password screen to pop up. NOW rush to the Wireshark and stop the capture! This will limit the number of strings for you to look through. If this is the first time you work with the Wireshark – be attentive! Do not panic if you can’t see the password in the ASCII field (in the bottom of the screen) immediately. Find the last several strings you have remembered before starting the TRBO CPS. Got it? Now start browsing the ASCII contents of every log string from the upper part. See the model and serial number of your radio? You’re getting close! Look for the u.e.n.-.u.s. Your password will be just before this word (just as a pic). Every symbol is divided with a dot, so when inputting it in the CPS use NO dots. In my example the password was 1250.
DONE!

Here are some things /\/\ wants us to know about the password in TRBO radios:

Now you know it’s not exactly true!

I’ve found a piece of advice that tells to try to read the password-protected codeplug and then open the RAM dump of mototrbocps.exe in the HxD or a similar software. Of course I’ve tried it and found it too difficult compared to the Wireshark method. The dump itself weighs 4 GB – imagine how many data strings it has!

That’s a pity we don’t know yet how to extract the advanced privacy keys which have already been loaded. I had to sacrifice them to program my own data to the radio 

I was using: DP4401 radio, PMKN4012B programming cable, CF-28 laptop with Win XP SP3 running on it, TRBO CPS 8.5 EMEA, Wireshark ver. 1.6.8.

com501 · Nov 14, 2013

Thanks for taking the time to put this down in a format people can understand. Those of us that have been doing this just 'Grok' it, but its hard to explain to someone who doesn't understand how Trbo network devices work all that well.

If posting about a radio issue: Include the HOST, DSP and UCM/secure firmware versions, flashcode and CPS version you're using along with the operating system info. This is critical information.

Codeplug password

hoser

Prolific Contributor

com501

Prolific Contributor

Magnus

Prolific Contributor

Forts

Prolific Contributor

hoser

Prolific Contributor

bg4wsw

Regular Member

no7rf

Contributing Member

Forts

Prolific Contributor

com501

Prolific Contributor

Eaton

Prolific Contributor

Notarola

Prolific Contributor

Eaton

Prolific Contributor

com501

Prolific Contributor

DES-AJ

Contributing Member

Magnus

Prolific Contributor

DES-AJ

Contributing Member

Eaton

Prolific Contributor

com501

Prolific Contributor