Page 1 of 5 12345 LastLast
Results 1 to 15 of 65

Thread: Cloning Sentinel Dongle

  1. #1
    Registered User cah's Avatar
    Join Date
    Sep 2001
    Location
    CYBERABAD
    Posts
    58

    Cloning Sentinel Dongle

    To,
    All Dongle Reverse Engineers


    Is it possible to clone sentinel dongle?

    How to read/edit a sentinel dongle?
    knowledge base on this subject is highly appreciated.

    Regards
    Cah....

  2. #2
    Morlac
    Guest

    Dongle clones.

    Apparently, you can, to a certain extent that is.
    Some cells are not readable. Like counters, passwords, and algorithm cells.
    Counters are no issue.
    The problem is getting the 2 overwrite passwords and the algorithm cells.

    Those where the only cells I couldnt reveal in a sentinel dongle.

    Morlac.

    PS - I dont know about hardware cloning though.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    Same problems arises with the SproQuery function which seems to be tied to the developer id and a 32 bit value (2 cells) in the memory.

    // CyberHeg

  4. #4
    Registered User cah's Avatar
    Join Date
    Sep 2001
    Location
    CYBERABAD
    Posts
    58

    Hayya cyberheg

    Thanx for your reply.
    How to edit/read sentinel dongle? Any tools/utilities available?
    How to find queries form dongle? If I have sentinel dongle.

    cah...

  5. #5
    There are plenty of tools availble, look at CrackZ mirror website.

    // CyberHeg

  6. #6
    Yes, in general it would be difficult to read "Active Query Cell", although in some program there is a "leak" with this Cells as well (Overwrite function needs write and overwrites passwords). So, if there is an upgrade facility, there is a chance for "leaking".

    My question with cloning is: "is there any possibility to program the SuperPro with any Id if let say we can have access to the dongle programmer or to the IC programmer in general ?"


    Bye,
    Scorpie

  7. #7
    warior_jal
    Guest
    Hiya Cah!

    contact me on my other mail ID, I am working on the same but with a different approach.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    VoxQuietis
    Guest
    Hi there Dongle reversers,

    Some comments on the (Super)Pro:

    - first of all get the SDK and (if possible) a dongle to play with
    - then as a little exercise, write a program to read out all the
    readable dongle cells. This is nice to gain some overview on
    the dongle.
    - then launch a brute force attack on the write password (but be
    careful and use an empty cell for doing that). The attack on
    the write password will take no longer than a couple of minutes.
    - a brute force attack on the overwrite password is feasible,
    but it will take a couple of month ( 2..12 depending on the
    amount of luck ;-) to go.
    I had to do this on a specific dongle some time ago, and there
    is nothing special about it.
    - reprogramming the D/I or the S/N should not be possible (at least
    if You access the dongle through the standard API/driver).
    Most likely there is a backdoor, which allows to reprogram the
    dongle. But a possible exploit would require a dump of the
    PIC device, which would require to remove the coating around
    the chip plus access to a PIC programmer with a wafer prober.
    (no need to stress the importance of a dump of the PICs
    memory. I guess any Sentinel guru would love to put the
    dump into IDA...)
    - logging the query-calls is possible, and therefore it is
    obviously possible to program an emulator around the logged
    data.
    - the buffer used for the I/O to the dongle is encrypted. The
    encryption/decryption routines can easily ripped out of the
    driver or a client application. The encryption towards the
    dongle is slightly different than the one towards the
    client.
    - if You want to change the behaviour of the dongle driver
    towards a more convenient operation (why to plug a dongle
    to the backside of the box, if the results are clear in
    advance? ;-) You should write a filter driver, which
    attaches to the dongle driver. This is - by the way - a
    fundamental approach, which should be applicable to all
    dongles.
    - it is possible to direct a query to a readable data cell.
    Maybe this could help in reversing the query function,
    which I presume to be a tedious task anyway.

    So for the time being, the Superpro is not compromised, even
    though it is most likely a cassical example for "security by
    obscurity".

    best regards
    - Vox.

    PS: Although I promote the idea of free information for all
    (and I freely admit that I hate dongles for practial reasons...)
    I would not like to see dongle cracks based on the mentioned
    principles spreading over the warez sites to all the lamers
    of the internet. I will therefore be very careful in discussing
    the details of the above mentioned topics. I expressively don't
    want that the Sentinel stuff gets a victim of something like
    the Blastsoft release with about a hundred of Flexlm seeds.
    I hope that the readers of the forum do understand and respect
    this point of view.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    Registered User cah's Avatar
    Join Date
    Sep 2001
    Location
    CYBERABAD
    Posts
    58

    Hayya warior_jal

    Give me your mail ID
    Cah...

  10. #10
    Antipodean
    Guest
    >- reprogramming the D/I or the S/N should not be possible (at least
    >if You access the dongle through the standard API/driver).
    >Most likely there is a backdoor, which allows to reprogram the
    >dongle. But a possible exploit would require a dump of the
    >PIC device, which would require to remove the coating around
    >the chip plus access to a PIC programmer with a wafer prober.
    >(no need to stress the importance of a dump of the PICs
    memory. I guess any Sentinel guru would love to put the
    dump into IDA...)

    Are you sure they use a PIC micro in them?

    If they do, then the programming function is by a serial protocol through a pair of data pins which change their function by putting 13 volts on the MCLR pin. I doubt they will have set the chip to low voltage programming mode, but they will surely have turned on the code protect, which will stop reading out the code.

    The MCLR pin and the data pins would all be accessable through the normal dongle pins, so there would be no special pads needed to program the device from a blank chip.

    In short, if it is a PIC device, your chances of reading it out are very slim.

    You will not need IDA to dump the code if you ever get it out. Just load the hex into the Microchip MPLAB, and it will provide a complete opcode listing )
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    scooterk
    Guest

    Lightbulb curious about this.

    I thought there is something on the web showing a clone using an Atmel ASIC 93C46 using an external power source and assembled onto a pc board which is housed into a 25 pin connector resembling a dongle key.
    My question is how is the actual chip on the key read and then copied?
    via software or via watching the output from multi-trace scope patterns (when the key is accessed), or can one clip to the chip using a hardware emulator?
    scooterk
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    Antipodean
    Guest
    >I thought there is something on the web showing a
    >clone using an Atmel ASIC 93C46 using an external
    >power source and assembled onto a pc board which is
    >housed into a 25 pin connector resembling a dongle key.
    >My question is how is the actual chip on the key read
    >and then copied? via software or via watching the
    >output from multi-trace scope patterns (when the key is
    >accessed), or can one clip to the chip using a hardware emulator?
    >scooterk

    I believe some of the very early dongles had exactly this chip in them, but done as a "chip on Board" where the bare chip is mounted on the PCB, and then covered with a dob of epoxy. The later dongles which can protect locations and do encryption have a micro in them, a bit like a smart card.

    The 934x family of chips are serial interface eeproms, so the host PC clocks out the data under software control. New chips are easily programmed using a similar write sequence.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #13
    VoxQuietis
    Guest

    Published circuit diagrams

    Hi there reversers,

    to my knowlegde there are only two dongle diagrams published so far. First the C-Plus dongle, which is the one with the EEPROM device mentioned above. I saw it first on the famous essay of Dr Fuhrball. The protocoll is known as 2-wire protocol. All the information is available, at it is both easy to dump the dongle and to clone it.
    The second one is the Pro. It is build around a Catalyst CAT-702 chip (I'd be glad if someone could point me to a data sheet of that device). Here the diagram itself is of little interest, since the security is relying on the CAT device.
    Wrt to Superpro I am far from shure, whether it is based on the PIC. Nevertheless Dr. Fuhrball made a comment pointing into that direction. On the other hand it seems perfectly matching, that one uses a PIC, since the development of a program is by far cheaper than the development of an ASIC - the ASIC results in NRE cost of at least 30.000 $, and I doubt, that there are that much dongles around, for the ASIC solution becoming cheaper than the PIC approach.

    Bye
    - Vox.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    scooterk
    Guest

    Thumbs up Thanks to all for the info..

    Thanks for the response on this.. I find the hardware/software aspect of making a clone to be an interesting project.
    I found an interesting setup form Christian Scheurer using an Atmel AT90S8515 ( 8 bit RISC microcontroller) , however the board is quite large considering it uses a 40 pin layout .. but the article proved interesting. ( The original article is in German ).
    scooterk
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    Hello there,

    Nice explanation VoxQuietis, Antipodean, Scooterk, etc.

    Just to add concerning Superpro:

    It uses only pins 6, 7, 11, and 18 (ground) on the male connector (which is connected to the Parallel port), and the old dongle use CAT 701. During programming, the female connector is fed by some signals from the programmer.

    Although my German is not good (Deutsh ist schwer), kindly let me have the article (Scooterk ?).


    Bye,
    Scorpie

Similar Threads

  1. Newbie with a Sentinel Dongle...
    By 0deuce0 in forum The Newbie Forum
    Replies: 1
    Last Post: May 26th, 2009, 15:41
  2. Sentinel SuperPro Emulation - Have Dongle
    By spinemangler in forum The Newbie Forum
    Replies: 10
    Last Post: April 13th, 2006, 22:46
  3. Need help on Sentinel Dongle!
    By cah in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: January 3rd, 2002, 08:10
  4. Sentinel CPlus Dongle - I'm half way there.
    By Spiv in forum Malware Analysis and Unpacking Forum
    Replies: 10
    Last Post: April 19th, 2001, 21:09

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •