Page 3 of 5 FirstFirst 12345 LastLast
Results 31 to 45 of 65

Thread: Cloning Sentinel Dongle

  1. #31
    Are you sure it was a SuperPro lock device and not a Hardlock.

    I continually see people posting about alladin hardlock.
    Alladin only bought Hardlock.
    Harlock was developed in germany by F.A.S.T

    Also the activator was originally developed by a company called
    Sofware Security Inc. and was later purchased by rainbow.

    Most of you newbies haven't even seen a lock 4-5 inches in length, which is how big the original sentinel pro was.

    If the SuperPro can be reprogrammed, then why isn't anybody doing it. Proffesionally as a lock replacement service.

    Are you also going to dispute the fact that CAT on the rainbow chip is not a catalyst number?

    Might I suggest getting a-hold of the largest magnifying glass you could find and have a look at the chip.

    And not discounting the possibility that the superpro's first eight words of memory may not in fact be fused, as far as I know Rainbow is the only company which can reprogram the Lock ID.
    They do not release (as far as I know) any devioces which allow a superpro's first eight bytes to be reprogrammed.

    And do not kid yourselves people, the lock device industry is a muli-million dollar business. The development cost to develop some of these locks is in the millions of dollars.
    The only reason I state this is because I have read someplace refered by many posts that the lock device industry can not possibly be that large.... It's HUGE.

    I've been doing this far too long to know otherwise.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #32
    Dear tgodd,

    please calm down. Newbies might generate a lot of obsfucation just by the lack of experience. I learned quite a little bit on the Pro/SPro during this thread.

    W.r.t. the mixing of all those different dongles You are right,
    that one should better be exact, since exactness is one of the
    most important things to practise in S/W rev-eng.

    I got in touch with the SPro about three or four years ago, i.e. I never saw the old-style Spro. The S/W protected by this little beast was in the order of 100k $. Nevertheless the implementation was poor (Flexlm plus some own onraments :-) Anyway I had the dongle free for a brute force attack on the overwrite password, which did succeed after little more than two month. Moreover I developed a filter driver (WinNT, it is a great OS) to emulate the dongle plus a logger consisting of a kernel mode driver and a Perl script. It allows me to run a log with the dongle and then compile the emulator with the data extracted by the Perl script :-)

    It lacks of course a model for the query answer. Up to now this proved to be nothing more than a little bit unconvenient. Anyway I would be a huge step to have a generic solution. I will have a look on the stuff when being back from holydays.

    Do You think it would be feasible, to separate a model of the query processing in a data shifting operation plus a (a priori unkown) boolean function. Then it might be feasible to run a set of (carefully selected) queries on an actual dongle to derive a table with sufficient information to synthesize the function by the means of a VHDL synthesis tool. While this procedure needed to be applied to each algorithm it nevertheless would be a major step towards the generic emulator.

    W.r.t. the Pro CAT-701/2: Our sysadmin gave me an old Pro device as a gift, since he knows about my addiction. The first thing I did was cracking it up, and it contains a CAT-702 labeled chip. I'll put a photograph on the net in the next few days (despite the fact, that there is not much special on it).

    Actually I am trying to extend my logger to the iButton parallel port dongle, but this thing is a mean beast. It floods You with hundreds of driver calls to derive a simple serial number. Gladly enough the driver is small (only 7 k), thus complete revering of the driver is feasible (and the approach I selected). They do sinful stuff: the store information on I/O processing into the device extension. I wonder, whether this is a safe approach for multi dongle / multi CPU machines. Anyway I don't have results up to now.

    Best regards
    - Vox.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #33
    There is currently a company that sells a generic emulator for the superpro. Unfortunately that emulator does not currently work for the enhanced algo.

    SPRO points to remember:
    Algocells are two memory cells starting on an even address.
    The data in the second cell is masked with 03fffh.
    to activate an algo cell the data in the odd cell is masked with
    08000h and to for the algo into enhanced mode the data in the odd cell is masked with 04000h.

    And all new Overwrite2 passwords have the 04000h masked on.

    This renders SafeKeys reader useless on any of the Newer SPros.

    From my own analysis of the algo unit, it's response is based on the write password and the cell pair data. And through statistical analysis a table can be constructed to evaluate the cell contents. Once one has the cell contents one can determine the write password through an emulation of the algo unit.

    I beleive that the enhanced mode throws in another variable (not sure which variable that is as yet), as well as another stage of flipflops of which the responses can not be seen they only have an effect on the Original stage. This throws the statistical analysis out the window.

    Even with a super computer I calculate that it would take approx. 5 years of calculation to generically determine the Cell data on an enhanced mode algo cell pair.

    I doubt that the cell pairs will be readable or read reversable.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #34
    Problem with the iButton is it is sooooo timing sensitive.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #35
    Dear tgodd,

    You say, the algo response is dependent from the write password. OK. Do You think of the dongles 16 bit write password, which resides in cell #3?

    I think, this can be bruteforced within 2 minutes. Or do I miss the understanding a conceptually important point within Your explanation of how the query algorithm works?

    Best regards,
    - Vox.

    PS: I got the best optimism, that my iButton emulator will be _extremely_ timing independent ;-)
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #36
    Using brute force yes.

    You can in fact get the write password.
    But it is a destructive method, as you have to attempt to write memory to do it.

    What happens when you have a SPRO which has ALL of it's cells written as hidden or Algo.

    You can Query cell 4 (Overwrite passwords) and determine
    the Overwrites as well as the write password from a Query.

    But in order to do this you need a working knowledge of the inner workings of the SuperPro and it only works on the older versions of the SPRO.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #37
    Dear VoxQuietis,

    I am curious about the Overwrite passwords "retrieval", so I have a question for you. To read the Overwrite passwords, do you treat them as 32-bits ? Write Password has been solved by the one who has the "base-ball" web-site for obsfucation (I think you know who he is) without destroying the overwrite password at all (you are absolutely right again that on the average it takes two minutes to read it).

    Do you mind if I send you a sort of "personal e-mail", as I do not like to expose some "sensitive information" ?


    To tgodd,

    I have found a biggggggg magnifier as recommended, namely a smallllll round window on the Hardlock Cover (as well as Hardlock TWIN). I can not find the magifier on the SuperPro which is reprogrammable by Rainbow Distributor who have access to the programmer.



  8. #38
    Hi scorpie, (and tgodd)

    bruteforcing requires the dongle to have an unused cell,
    which had been the case for all the Superpro's I have
    seen up to now (about five). I expect this to be the
    general rule rather than the exception.

    Anyway, You just run a write within a loop, until You
    caught it. (if You drop me an email address -> voxquietis I'll send You the full source. there is nothing
    special about it, it is just to boring to be posted in
    full length)

    : writeData = 0;
    : cellAddress = 0x8;
    : accessCode = 0;
    : for (id = 0x0; guess < 0xffff; guess++) {
    : writePassword = (unsigned short int)guess;
    : spStatus = RNBOsproWrite(ApiPacket, writePassword, cellAddress,
    : writeData, accessCode );
    : if (spStatus == 0) goto FoundWP;
    : }
    : printf( " Brute force WP failed \n");
    : FoundWP: ... display the result

    Bruteforcing the overwrite password(s) works similar, but is
    _very_ time consuming. With a proper amount of bad luck
    You might run the dongle for little less than a year.
    So You better catch an old PC and place it in the garage
    (or in the lab, as I did ;-) and let it run, just looking
    once a day, how the scanning goes on...

    To extend the stuff for a fully programmed dongle would
    be a major project, yet under the assumption that the
    simple query mechanism is known it should be feasible:
    One would direct queries to all the cells until finding
    one, which returns such a return value. This should be
    possible after directing a set of queries to that cell.
    I'll have a look when being back from holidays.
    Then according to the statements of tgodd both the content
    of the cell and the write password can be recovered, and
    the brute force attack on the OP can start.

    This seems to be everything, which is possible today.
    But maybe some unkown genius takes a deeper look on the device
    and solves the riddle.

    - Vox.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #39
    AnyBody here have a SPRO manufactured from 91-95??
    Let me know...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #40
    Keep in mind that the Overwrite cells can be queried to acquire not only the password, but the Overwrite passwords as well.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #41
    Registered User cah's Avatar
    Join Date
    Sep 2001

    hayya tgodd

    How to find SPRO is manufactured from 91-95?
    I have one old sentinel dongle.
    Explain me, how to find.


  12. #42
    Sentinel makes several different types of locks (dongles).

    Here is a list:
    - C
    - Scribe
    - Scout
    - Pro
    - SuperPro

    Keep in mind that these are all based on completely different

    The SuperPro however, (this is not a well known fact) has 2 flavours and it is not possible really to tell them apart, as far
    as I know, whithout attempting a query on cell 2.
    The newer SuperPros will not allow a query on cell 2.
    There was a hole in the original design which allowed one to query cell 2 (Overwrite passwords).

    And with a working knowledge of the lock internals one can
    determine the write and overwrite passwords from the older

    Do not confuse the PRO with the SuperPro (SPRO), they are
    distinctly different.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #43
    Just a note because I forgot to mention.
    Rainbow also bought MicroPahr, a lock which originates in france,
    and Activator which was manufactured by a company called
    Software Securities Inc.

    MicroPhar = only memory.
    Activator = 3 Counters and memory.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #44
    Hi everyone,

    Have anyone noticed that cell 5 is actually readable and not hidden like the rest of cells from 2 to 7?
    The driver does not allow reading cells 2 to 7 with a simple check.
    If you remove that check you can read them. Cells 2 to 7 apart from 5 will return invalid data. If I remember correctly, 0xffff are return for them while cell 5 returns 0x0000.

    Could somebody check if a dongle has anything stored there?
    Mine contains 0x0000 only. Its a SuperPro Sentinel from Globetrotter FlexLM application.

    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #45
    I am affraid you have yet over-looked something.

    If you read the SPRO through I/O to the parrallel port
    you will notice the following facts:


    And I have no problems reading any of the cells defined with
    attribute 1.
    One thing as true that cell 5 is allways 0.

    As I've been saying all along, is that if you query cell 2 and get an invalid response (you can only tell by the returned data), then you have a newer SPRO. If you get what appears to be proper encrypted info then you have an older style SPRO.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Newbie with a Sentinel Dongle...
    By 0deuce0 in forum The Newbie Forum
    Replies: 1
    Last Post: May 26th, 2009, 15:41
  2. Sentinel SuperPro Emulation - Have Dongle
    By spinemangler in forum The Newbie Forum
    Replies: 10
    Last Post: April 13th, 2006, 22:46
  3. Need help on Sentinel Dongle!
    By cah in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: January 3rd, 2002, 08:10
  4. Sentinel CPlus Dongle - I'm half way there.
    By Spiv in forum Malware Analysis and Unpacking Forum
    Replies: 10
    Last Post: April 19th, 2001, 21:09


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts