View Full Version : Sentinel SuperPro Brute Force

January 23rd, 2008, 19:07
Hello, i have searched the forum but still am a little unclear on some of the steps i need to perform to do this. I have a blank Sentinel SuperPro usb dongle. I have been able to read the data to find the serial number, DevID, and the write password. But as i have seen in other threads it is not easy getting the Overwrite password. I have read that you can use a brute force attack on the dongle to find the Overwrite password but it takes very long. What I would like to know is how to perform this brute force attack for I have never used it before. And after i do use the brute force method and i retrieve the 2 Overwrite passwords what do i do then? How would i write my own data to all those 0's from cell 8 to the end?
If anyone could help me in this that would be great. And if i did miss a thread somewhere that has this information i am deeply sorry and please point me in the right direction. Thnx

January 23rd, 2008, 19:48
Well how did you miss this Thread:


It's fairly old and is, of course, not discussing a usb dongle, but might be relevant.

AND you don't get to skate with just searching here!

YOU are also supposed to Search on the net for answers to YOUR question. If you have done that, you have not indicated you have done so.

For example, have you tried entering thing, such as combinations of:

sentinel superpro brute force overwrite password


in YOUR favorite search engine and looked at some of the results? Again, if you have, how would we know you have done so? I got 31 hits.


January 23rd, 2008, 21:13
I did read that thread and the threads linked from that one. I am not asking this without doing some research. Google doesn't link to anything useful other than the threads in this forum. I wrote in my question, "but still am a little unclear on some of the steps I need to perform to do this." I stated I was unclear on how to perform the steps even if they were written there in those threads. This could be due to me not understanding some of the terminology in that thread. As i said I have never performed any kind of brute force attack in my life. I do not know how it works or how it is set up. What I request is that some knowledgeable person on this forum please help a noob like me out in understanding what those threads say. Even after rereading them I still am unclear. And googling brute force attacks got me millions of different things that can be brute force attacked and that only created more confusion for me.

There is actually a lot of information i see on the EXETOOLS forum but the registration is disabled and i cant download any files from them. If someone has a way for me to join them then that would help me out a lot.

January 24th, 2008, 05:27

I'm assuming you are trying to reprogram the memory contents inside the dongle and that you do not possess or have access to the overwrite passwords either legally or from an application that might reveal them.

I'm also assuming that the cells you are trying to program have been set as "locked" preventing you from simply reprogramming them trivially using the API RNBOsproWrite (which requires only the write password).

Brute forcing the 2 overwrite passwords is code-trivial with a major caveat; you could simply cycle your way through the possibilities using RNBOsproOverwrite; the reality however is a very long wait since you cannot escape the API & hardware overhead which restricts considerably the speed at which you can test passwords. Also on the more recent devices there are tamper checks inside the hardware looking for just this sort of attack so you'll probably trip that long before finding the passwords.

As an exercise I know of several people who stripped out going via the API interface and opted for direct access to the Sentinel and still found the brute force times impractical.

With the overwrite passwords you can obviously reprogram the dongle to your hearts content either direct via the SDK or using the GUI therein.



January 24th, 2008, 06:49
So, is that covered in your lecture on 3-Feb? -- How to reprogram dongles without knowing the overwrite dongle passwords?

Have Phun

January 24th, 2008, 12:36
Thank you so much! That cleared up a lot for me but there is still one more thing left. I have searched for "API sproWrite" here on the forums and google but i haven't been able to find anything. Is this a program i can download?

January 24th, 2008, 13:46
Previous post edited slightly.

Search out the Sentinel Developer or Programmers Guide, RNBOsproWrite on google ought to give you something.



January 25th, 2008, 02:55
I have been searching for a couple of hours now and the best thing i could find are these 2 documents.


They talk about the, program?, that apparently has commands that start with RNBOspro just like the RNBOsproWrite you mentioned.

However i cannot find this anywhere.

You stated before
"using the API RNBOsproWrite (which requires only the write password)."

Is this a program you know of? Do you know where i can get it?

You also stated
"via the SDK or using the GUI therein."

Do you now where i can get the SDK or GUI?

If you could explain this to me in further detail that would be great. I am quite clueless in this area.


January 25th, 2008, 03:08

Did you actually READ THE FRIGGIN FAQ??? If you did, how come you feel YOU are entitled to ignore the part which states, rather clearly:

Do not ask where to find the "tools."

I see no exception there for YOU to ask where YOU can find the tools YOU might need to solve your sentinel superpro problems. Now get with the program or go away.

It's up to YOU to master the skill of searching on the net and finding the tools YOU need for YOUR reversing projects. We have an entire Website linked below where you can study that skill.

That it may not be easy, or that YOU haven't succeeded, or might not succeed at all, does not give YOU permission to ask someone here to take you by the hand and lead you to the tools YOU want or just give them to you.

Learning how to be a "reverser" means you have to have patience and determination to actually find what you need and to study what you need to study to figure out what is necessary for YOUR project.

It is past time you actually PAY ATTENTION TO OUR RULES!

January 25th, 2008, 10:46
Understood, I apologize.

But there is one more question I could ask that wont go against your rules.

Are those actual programs? That I would be able to find on my own? or am I searching for something that doesn't exist, or works in some different form.

January 25th, 2008, 14:23
Sorry, you actually do NOT understand. You found a reference to the Sentinel LM Programmer C's Reference Manual, but you obviously didn't spend any "quality time" actually reading it, or attempting to find on the net information about things discussed in that manual which you might not understand.

For example, you might have simply put API in you favorite search engine and found something similar to this:

"Abbreviation of application program interface, a set of routines ("http://www.webopedia.com/TERM/A/routine.html"), protocols ("http://www.webopedia.com/TERM/A/protocol.html"), and tools for building software applications ("http://www.webopedia.com/TERM/A/application.html")."

Had you done that simple thing, you might have some better clue about what you are attempting to do and how it might be done.

If you actually have done "basic" research on how to "reverse Sentinel SuperPro" you should have gained some understanding of what is involved and what "tools" might be needed and/or where such tools might be located.

You've obviously recovered "some" data from the dongle, but you do not appear to have done much in the way of research on "brute forcing" or the tools which might be necessary or available, generally, for that task, and/or what may be available for your "target."

You are STILL in the mode where you want someone to GIVE you the answers, rather than in the mode that YOU are determined to do YOUR very best to FIND the answers and what YOU need.

You appear to get just one idea, and then you search for just one thing, apparently without any real understanding of what you are really attempting to do. It certainly appears that you are starting from "no knowledge" to going to "cracking" a very difficult project for a beginner, while, at the same time, trying to do as little "real work" as possible. That is not the type of effort that gets "rewarded" on this Forum with getting taken by the hand and being "led to the promised land" of "success."

Now have you even attempted to do what CrackZ suggested you do??? He is, after all, one of the "Experts" on such things! He suggested you SEARCH on google for:


something YOU apparently haven't done or you should have more information than you exhibit so far. That search criteria produced 91 hits for me, including some about something called a "Sentinel SuperPro Emulator", which YOU should have already discovered, had you been doing your own homework! It's possibly what you are already using to recover the data you have already recovered, which you mentioned in your first post.

If you had actually been reading some of the Threads on Exetools, even though you can't download attachments from there, you would already have some "basic" understanding of what might be available for use in the context of "Sentinel Dongle Tools," instead of asking "lame" questions here which simply show you haven't been doing any real "thinking" about what you are attempting to accomplish.

Now these conclusions could be mistaken, but they are based on the only information YOU have provided about what you started out knowing about what YOU want to do and what YOU have told us YOU have done so far.

Just one more example. Have you done the "obvious?" Have you put:

Brute Force Sentinel Super Pro

in YOUR favorite search engine and read some of the more than 7,740 hit available about that subject? There's even a link to the manufacturer with information about their efforts to "defend" against brute force attack. YOU have read at least some of those, haven't you.

If you've actually done any of these things, it certainly is not clear from your Posts and the very "basic" questions you keep asking so far.

Reversing is a time consuming process. Are YOU willing to actually put in the time to learn how to attempt to do what you have said you want to do? So far, it only looks like you want an "easy" and/or "quick" answer handed to you for a "cookie cutter" solution to your problem, where you might click a few buttons and your quest is accomplished.

Step up to the plate and actually THINK about what your problem is and how YOU might go about researching it more effectively and then YOU tell US what you have found and ask whether your information is correct. That's what we ask you to do!


January 25th, 2008, 14:49
RNBOxxxx are the names of the API functions developers can use when programming their dongle, the Sentinel SuperPro SDK has example programs you could trivially compile / edit to do this so no-one has actually bothered authoring any *tool* as its considered rather pointless.

I suggested you try RNBOsproWrite as it *writes* data to the dongles memory and requires you know only the Write Password (which you have).

JMI is right though, although I'll summarise it in much fewer words; If you had invested just a little bit more effort & time in reading & researching the information you were given, it would have saved you all of the criticism you have received.



January 25th, 2008, 20:17
Thank you CrackZ, I will continue my search with the information you have supplied.

JMI, you seem to be extremely biased against me doing any research.
When I said I do understand I DID mean I understand. Apparently my apology wasn't enough.
Let me make it clear I HAVE been doing MY own research and putting my OWN hard work into this.
I did look up API, it was one of the first things I researched. I was just a little unsure of how things worked.
I have done MORE than "basic" research for i have read EVERY document i could find on the topic.
And no I am not in a "mode" of wanting someone else to just hand over some program so i can do this with zero knowledge.
I am more than willing to give time and effort into learning more about how these things work.
When I asked directly for the programs I was wrong in this and I did apologize. But my main concern was not to have the programs handed over to me, but to understand if they actually are programs in the first place.

I have researched EACH and every one of the keywords CrackZ has given me.
This has helped me ALOT and I thank him once again for the help.

So, JMI, don't jump to direct conclusions that I have not researched enough.
When i asked if those are actual programs, I was basing the question on the knowledge I received from reading both of those documents and from research in many other documents.
Now that CrackZ has explained to me the basic information on this i can further continue MY own research.

Confusion on how something works even when researching it does not mean I had not put a good amount of effort into searching for it myself.
I am NOT a lazy person. I actually enjoy finding things out on my own much more than someone hading me the knowledge. Most of my ventures into learning about technology have been by myself, learning the knowledge myself, researching it myself, the way I like and enjoy it.

ALL I have been asking for in this entire thread other than my mistake of asking for the programs directly has been ONLY directions on what topics or information would be best to research, and questions when I was confused about how a certain thing works.

JMI don't get me wrong. I am not telling you how to do your job as an Administrator for this forum. In fact I admire it and think you do a good job. But sometimes you can be a little TOO negative towards the possibility of someone actually putting hard work into something.

So once again I thank both of you in pointing me in the right direction in my research.
I will post again soon on my success.. or failures but hopefully i wont have much of those.


January 25th, 2008, 21:18

You have made some valid points.

I want to remind you, however, that I did not use or imply that you were "lazy." That was not part of my description of your efforts.

What you also need to keep in mind is that I have only your "words," written here, upon which to form a conclusion about what you may or may not have done. I can not look into your mind and see what you have seen or read. If you didn't write it here, I would have no way of knowing what you might have done, or already knew, or learned along the way.

Along with my efforts, I did provide some, I hope, useful pointers in directions of information which I thought might help you. Again, I can only judge what you might have done with that information by what you then write here and what you indicate you may have learned.

I was more attempting to get you to focus on what your answers seemed to indicate you did not yet understand. It was fairly reasonable, even if not completely correct, that, if you didn't understand some of the very basic information, that you either hadn't found or hadn't carefully considered some of the information which had already been mentioned.

Try not to be discouraged if you seem to be having problems with your task or if some part of the Administration here doesn't seem to understand all the efforts you may have already invested. This all takes substantial time.

I will only say that when I first started "reversing," I had not the faintest idea about how computers and/or computer languages worked and after more than 20 years of trying to do some reversing and reading a very great deal about it, I do not consider myself a "skilled" reverser, by any means, mostly because real life does not afford me the time or the opportunity to spend as much quality time as I once had to just "play" with the workings of some program or protection scheme.

Also try to remember that I do not write my comment about Searching, learning to Search, and actually doing that with the intent of just criticizing anyone. It is intended to emphasize the importance of that required skill for anyone interested in this great adventure on which we journey. Much of what I write is intended for a general audience of those who come later and who might "get the message" about searching and how to accomplish that skill while simply reading some of what has already been said to others.

I neither have, nor hold any personal hard feelings about you or your efforts. If I seem to try to nudge you down "the correct path through the dark codewoods" with what you might fairly consider to be too much apparent passion, it is simply because I believe the message of our founder, +Fravia, that learning to search and actually doing the searching and applying one's brain to that task, is one of the most important skills a wannabe reverser can master, including me.

I can only suggest to you that "impatience" with achieving your goal is one of the more difficult traits for anyone, particularly the young, to master. Learning some of this "stuff" takes time and, unless you program computers all day, there is one heck of a learning curve to climb against.

So may I humbly suggest you try to look on what is happening as a "process" rather than an "event" and that along the way there will seem to be many roadblocks and pitfalls, against which one bumps in the night. We just need to pick ourselves up, focus on the road ahead, try to keep putting one foot in front of the other, and eventually we realize we actually begin to understand a little bit more and a little bit more.

Sometimes we can slap our heads and wonder why we didn't see something more clearly before, and sometimes we can wonder whether we will ever "get it." But in the end, it is the "journey" which is the adventure, not the single event of success over this or that problem.

It is learning how to "think through" something we initially don't really understand, and gaining a little more understanding of the ever evolving world of computers and their programs, and the constant struggle between protectors and reversers that keeps it interesting. It is the determination not to be stopped, not to give up, which give useful purpose to the process.

Analyzing and problem solving skills are generally great preparation for much of what confronts one throughout life. Working on those skill sets, in almost any area, is nearly always a very "good thing."


January 27th, 2008, 02:09
Hello again.
I got a bit further in my goal of writing to the SuperPro dongle.
Today I had a look at a friends old serial port dongle that had code already written to it.
I noticed another difference between my blank dongle and his.

I actually have 2 different kinds of dumpers.

One reads the data off the dongle and creates a nice little txt file that has the cells from 0x00 to 0x3F.

And the other apparently dumps more, a .RSL file, but must be viewed in a hex editor.
It shows the same cells as the first dumper but the entire string of them is at the end of the dump.
Before that there is more space with more numbers.
On my blank every couple of blank spaces is the code 12 34 56 78.
The string of blanks and 12345678 keeps repeating until it reaches the cells at the end which r same as in first dumper.
My first thought is that this is some extra code on the dongle and the default "blank" code in these places is 12345678.

On my friends serial SuperPro, some of the 12345678's are there but most of them have been replaced by other sets of numbers sometimes even longer in length than the 12345678.

Now I am stumped again... I thought the cells 0x00 to 0x3F were all that was on the dongle. But this proves it wrong does it not?

The code shown in the first dumper would be in this format,

Cell 0x00: ABCD (1/0) (Dongle Serial Number)
Cell 0x01: 1234 (1/0) (Developer ID)
Cell 0x02: ???? (1/4) (OverWrite Password 1)
Cell 0x03: ???? (1/4) (OverWrite Password 2)
Cell 0x04: 5678 (1/4) (Write Password)
and on down to cell 0x3F

But the code from the second dumper viewed in a hex editor, omitting the beginning part I am confused about explained above, would be in this format

CD AB 34 12 00 00 00 00 78 56 ----> onward to end are 0's, same length as first dumper so i know its same code.

notice how each of the 4 digit codes r reversed


So there you have my new discovery. If you have any information on what that code is then it would be well appreciated.

Now back to my RNBOxxxx API functions research.
I thought I should take a look at the source of the first dumper since it so nicely provided it. And there was the code I was looking for. All the RNBOxxxx commands that the program uses to communicate with the dongle were there.
This gave me more understanding on what I will have to do to accomplish my task of writing data to the blank dongle.
Apparently I would have to code my own little program with the commands to write to the cells I want.
I have enough knowledge to see the code is written in C. I guess its better to start learning to code now then never.

Once again I thank you for helping me to get this far. Would have taken me much longer without you.

Possibly is the code before the known string of 0x00 to 0x3F a space just for the company that sold the dongle with Program to write some extra code of their own?
Just an idea...

Well now I know exactly what must be done but i am unable to do it.
I must write a code in C to use the RNBOsproWrite API function correctly so it writes the code I want.
If anyone is willing to show me how the code would be written that would be great.
I tried editing the source of the dumper and then compiling it but I failed... There is just too much more to the code I don't know. Its close to impossible for me to write a successful piece of code that will use the sproWrite command successfully.

This is the format for the sproWrite command:

RB_WORD writePassword,
RB_WORD address,
RB_WORD data,
RB_BYTE accessCode )


packet - is a pointer to the RB_SPRO_APIPACKET record.
writePassword - is the write password for the SuperPro key.
address - is the address of the word to write.
data - will contain the SuperPro word to write.
accessCode - will contain the access code associated with the word
to write.

February 7th, 2008, 13:31
litePL, looks like you've got a better grasp of what it is you're dealing with now. Not sure if you've made any progress since the last post, but I'll add my comments anyway.

I researched these dongles for about a week myself, though I still have yet to attack my target program. Have you looked into the SDK at all? It may be a very useful tool; While searching for info such as "Sentinel SDK" I found that there were some Russians with useful information. Also, if you can't find the Russians; You know how you don't ask us for tools on the forum? Well, maybe you need to "ask someone else"? (and I'm not implying that you ask me.)
Lastly, that link that was given to the other thread was VERY important. If your target is anything like theirs, you may be wasting your time trying to brute force.

JMI and CrackZ, thanks for the helpful info I learned a few new tricks reading this.


March 23rd, 2008, 20:45
Hey guys I'm back after a long time of getting the code to work.

I can successfully write to the dongle now! And its all thanks to you guys!
Thanks so much for leading me in the right directions.

Me and a friend wrote the code to write to the dongle. He knows C better than me so he helped out a bit. I copied all the cells I could see to the new dongle but where the algorithm cells should be I just left it at 0000. I hope that wont be a problem.. I also hope the different serial numbers wont effect it. I am currently brute forcing the 2 Overwrite passwords on another PC. Looks like its gonna take a while.. Hopefully the passwords will be close to 0000 if i'm lucky

At first I began to brute force the Overwrite passwords so I could overwrite the Serial Number. But now i have doubts after i read this in the API functions list.

"This function can be used to overwrite any word on the SuperPro key with the exception of the words at addresses 0-7."

My guess is that means I wont be able to overwrite the serial number..
I haven't found anyone else with success in overwriting the serial either.
If anyone knows how please do tell.

And I'm also doing some more research into the Algorithm cells and Counter cells. I'm not really sure what they are used for..

Since I'm done with my goal of writing to the dongle. Can someone grant me access to the files at the exetools forum? I would like to try out some of the programs there just out of curiosity. Thnx


The serial number doesnt matter. I Used an emulator to emulate the correct dongle code for the program and it worked. Then I copied all the Data exactly as it is in the dump, to my blank Dongle. Now the only difference was Serial number and DevID. It didn't work.. Something occurred to me at this point. Whenever I did anything with the dongle I always had to have the DevID for the dongle I was using.
In the API functions list it states the following:
"If the developer ID is not known, none of the functions will work."

So my guess is that the program I am using searches for a dongle with that specific devID. If it cant find a dongle with that devID then it doesn't work.

Just my luck, i have all the license data copied onto the dongle but now I have to find a way to change the DevID... But I think that is impossible since RNBOsproOverwrite cant write to cells 0-7.

So now I am stuck again with no way of getting this done. I have searched and searched to find nothing on changing the DevID.. If anyone can help me please do so. Even concluding my theory of it being impossible will be enough.


March 26th, 2008, 17:44

i am pretty sure you are correct in the fact that it is impossible (from a practical level) to be able to change the values in cell 0x00 (serial number)and 0x01 (Developer ID), along with cells 0x05, 0x06, and 0x07 being "Reserved cells".

with most of my experience being on the hardware cloning side, i will probably get corrected on this next bit as i did not go back to read the API functions before telling you this...

from my understanding the Developer ID is used in the APIs to "wake up" or tell the dongle to "start listening" AND is burned into ROM on the device at the factory, basically it is how the program tells which dongle should listen to what command is next.. now this is not a big deal when on a serial line and 99% of the time there is only the one device on the line, but would be on a USB bus as there can be many dongles on the same bus with different Developer ID. i am not sure if there is anything new on the USB version that would allow two USBs with the SAME Dev ID. also from what i have seen, looking for the serial number is up to the program that is looking for the dongle in the first place as to whether it fails the check or not. the only way i know that you will be able to have another physical device with the SAME Dev ID is to get one with that actual DEV ID from the source or to make your own hardware clone.

hope this help... and please correct me if i am wrong on what is needed at the API level.


March 27th, 2008, 00:28
[Originally Posted by korvak;73618]
from my understanding the Developer ID is used in the APIs to "wake up" or tell the dongle to "start listening" AND is burned into ROM on the device at the factory, basically it is how the program tells which dongle should listen to what command is next..

I also have not read the API to the point where I would know for sure either, but I have definitely burned my share of ROMs.

From what I know about "anti-reversing" in hardware situations, companies will use chips that can only be written once or chips with blocks of code that you can't write to, like the dongles here. There are different sections CODE and DATA (EEPROM). The CODE section is written with a programmer (burned in), while the DATA can be updated easily through software. There is usually a bit set to disable reading of the chip (you can try, but it'll give you all 0's or F's) -- to prevent a direct copy. Since we're dumping just the DATA section with the PC, we generally can't make a clone of these dongles.

Furthermore, if you open up your dongle, you see a nice black dome shape. This is epoxy on top of the chip, so even if you had the reader/writer hardware, you wouldn't be able to touch the chip.

So in order to copy it, you use a data analyzer to find out what it does (basically a hardware debugger) and then write the code yourself for your new dongle, then finally you can write the spro dump as you have already tried. As korvak said, it's probably not gonna happen.


March 27th, 2008, 17:49
Just to add to this briefly.

personmans & korvak are correct.

There isn't any way of writing to cells 0-7. I recall perhaps some very early Sentinels pre-95 that could be written in an undocumented manner but this was changed fairly shortly after.



March 28th, 2008, 00:31
Thanks for the confirmation. I've got some of the pre-95 keys, maybe I'll try writing to them on the 0-7 section.

I've also got a "burned out" key because someone tried to put it on a serial splitter and... apparently they thought of that when designing the keys =P. Does anyone have experience repairing them? I looked inside, and didn't see too many components (aside from the epoxy blob covering the micro controller). I figured a bruned out key would have just been a diode/fuse/etc that breaks under extra current from 2 PC's, but I have not had the chance to test it out yet. I won't be able to test for a couple days, so I just wanted to see if there is any info out there. I checked [my favourite search engine] and browsed the forums a bit, but didn't find much.


April 5th, 2008, 14:18
Today I found an alternative to copying the key.
I used autorun for my usb flashdrive to make the Sentinel Superpro Emulator run every time I connect the flashdrive.
This gives me the same effect of a hardware key.
Even though this was not my real goal, it works just the same.

Once again I would like to thank everyone that has helped me.
With your help it was really fun researching how the Sentinel dongle works.

I hope to encounter other reverse engineering experiences in the future and I will be sure to share them here.