It took a small group effort, but we cracked it.
Problem 1: Bug in limitation to %UREG command
First of all, on 4.20 they check to see whether the %UREG request lies within certain bounds as follows:
if (addr < 0x3ef000 || addr > 0x3ef007) return(0);
if ((addr+len) < 0x3ef000 || (addr+len) > 0x3ef007) return(0);
Now because addr en len are both 32 bits, we can make use of the wrap (negative in effect). After the test above the maximum length will be limited to 100 (0x64).
So for instance:
will read 100 bytes from 0x3FE004, clearly outside the range UREG was meant to be restricted to.
Problem 2: Obfuscation too easy
When executing the command above: after 74 bytes of FF, the obfuscated result code is displayed. The information needed to get the unlock code is contained twice, in the format ABCDABCDEFGHEFGH if a different letter is assigned to each unique nibble. Nibbles are first swapped to make EHAFGBCD. Then bits 3 of nibbles H, F and B are rotated left, so that nibble H gets bit 3 from F and so forth. After this, the whole 4 byte value is rotated into the lower bit. The result is the 8 digit unlock code in BCD, which can be supplied to the unlock command:
AT%SIDLCK=0,<8-digit unlock code>
Nice try: took us 2 person-days, probably still less than it took to think up, define, approve and program. :twisted:
The new version of The Manipulator
, online now, supports unlocking of Radio Stack 4.20.