PDA

View Full Version : sentinel spro - no need for devID


Unregistered
October 9th, 2001, 10:44
hy,

some day ago, while i was playing with a spro
is turned out that :

FormatPacket(packet, 0x404);
Initialize(packet);
FindFirstUnit(packet, 0xFFFF);
FindFirstUnit(packet, 0xFFFF);

... and now you can read the dongle, without
bruteforcing devID... istant access :-)

driver version : 5.30, 5.38

now the question is how it can work ???

and if i wanna read ALL dongle memory (algo included)
how can i do???

haec_est

Morlac.
October 11th, 2001, 02:54
Hi there,

The reason for this effect will be apparent once you reverse engineer the sentinel driver ( get an old driver, much easier and tidier code to understand , I used ver2.1). Basically, the dongle hardware has no lock to prevent any read from it before any other initialisation.
So, what actually happens when the dongle recieves a FindFirstUnit() & FindNextUnit() <- Identical functions
the drivers reads the dongle DevID and compares it to the value the user passed down. If it matches, then good guy.
In the case of 0xffff, Its just a bug in the driver the got introduced in the more recent driver updates.
Older drivers didnt allow for the 0xffff trick.
-------------------------------------
psudo code for the FindFirstUnit function from the driver
------------------------------------
FindFirstUnit(packet)
{
packet->unitnumber = -1;
findnextunit(packet);
}

FindNextUnit(packet)
{
.........

start:
setup_port(); // initialize the parallel port & dongle
sendInstruction(0x85);
result = ReadCell(1, &DevIDl); // Same as SproReadCell(...)
if(result){
release_port();
goto start;
}
if( DevID == 0) {
//// Why is this happening? Whats the secret????!!!!
query(0x0BC614E);
release_port();
goto start;
} else {
if( DevID != packet->DevID) {
release_port();
packet->result = error;
return;
}
ReadCell(5, &Num);
if(Num != 0) {
release_port();
goto start;
}
ReadCell(0, &serial);
packet->serial = serial;
packet->error = unit found;
return;
}
---------------End of code ----------------------
Hope this clarifies what you want to understand.

As you can see from the code, there are a few unexplained
issues that I encountered, like whats Cell 5 is supposed to be
and that query(0x0BC614E).
Well, hope I helped.

Morlac

haec_est
October 13th, 2001, 09:07
hi,

thanks for your answer... very usefull.

Now i had only a little problem, i wasn't able to find a so old driver over the net, only 5.x version...

where i can find that drviver ?
justo to study it a little bit...


thanks,

haec_est

Morlac.
October 15th, 2001, 11:41
I can email the old .sys file.
Address?

Morlac

haec_est
October 16th, 2001, 08:52
this should work : haec_est@hotmail.com

thank you,


haec_est