Please remember to add a category to the bottom of each page that you create.
See categories help for further details, but most will probably be [[Category:HTC ModelName]].

Hermes BootLoaderPassword

From XDA-Developers
Revision as of 10:07, 10 November 2010 by Hakim Rahman (Talk | contribs) (How to circumvent Hermes BootLoader & radio BootLoader passwords)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

How to circumvent Hermes BootLoader & radio BootLoader passwords

The Hermes BootLoader has a 'password' command which takes a dynamically generated 16-byte long password. This password is issued by ROMUpgradeUt.exe before doing a ROM upgrade.

To dynamically generate the password, the ROMUpgradeUt.exe sends the command =info 3= to the bootloader, and takes the output of this command to use as a seed when generating the password (information, for password crypt).

This is the output of the bootloader when the ROMUpgradeUt.exe issues the command =info 3= during a ROM upgrade, it has been captured using HHD Software USB Monitor. Note that the bootloader returns different data each time you send the command =info 3=, so a new password is generated every time:

000045: Bulk or Interrupt Transfer (UP), 21.08.2006 20:45:29.4245056 +0.0300432
Pipe Handle: 0x82c50e1c (Endpoint Address: 0x81) Get 0x85c bytes from the device:

 48 54 43 53 48 00 45 00 52 00 4D 00 32 00 30 00          HTCSH.E.R.M.2.0.
 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          0...............
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 51 54 45 4B 5F 30 30 31 00 00 00 00          ....QTEK_001....
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 A3 40 2A D9 79 C3 D6 73 09 33 67 67          ....£@*ÙyÃÖs.3gg
 7F 1D FF DA B8 FE FC 42 A4 11 7C D5 EF 66 20 40          .ÿÚ¸þüB¤.|Õïf @
 E0 34 11 9D 00 00 00 00 00 00 00 00 00 00 00 00          à4.�............
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 41 00 00 00 00 08          ..........A.....
 00 00 00 50 00 00 1A 50 00 00 00 00 00 00 41 00          ...P...P......A.
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 48 00 00 00 00 00 00 00 00 00 00 00          ....H...........
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 31 2E 30 34 00 00 00 00 00 00 00 00          ....1.04........
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
 00 00 00 00 9B 17 B0 EE 48 54 43 45                      ....›.°îHTCE


This is the output of the bootloader when the ~ROMUpgradeUt.exe issues the command =info 6= during a ROM upgrade, this command is sent after =info 3= but it is not needed for password decrypt.

000055: Bulk or Interrupt Transfer (UP), 21.08.2006 20:45:40.1098704 +0.0
Pipe Handle: 0x82c50e1c (Endpoint Address: 0x81) Get 0x10 bytes from the device:

 48 54 43 53 54 20 20 20 7F DA C8 D2 48 54 43 45          HTCST   ÚÈÒHTCE


Then ROMUpgradeUt.exe sends the password:

000057: Bulk or Interrupt Transfer (UP), 21.08.2006 20:45:42.1728368 +2.0629664
Pipe Handle: 0x82c50e3c (Endpoint Address: 0x4) Send 0x1a bytes to the device:

 70 61 73 73 77 6F 72 64 20 7E 64 7E 7E 7E 7E 7E          password ~d~~~~~
 7E 7E 7E 7E 72 7E 30 30 30 0D                            ~~~~r~000.


The Hermes bootloader returns "HTCS" + "Pass1" + 4-byte checksum + "HTCE" if the password is correct:

000084: Bulk or Interrupt Transfer (UP), 21.08.2006 20:45:42.1828512 +0.0
Pipe Handle: 0x82c50e1c (Endpoint Address: 0x81) Get 0x13 bytes from the device:

 48 54 43 53 50 61 73 73 31 2E 0A 43 4D 88 CB 48          HTCSPass1..CMˆËH
 54 43 45                                                 TCE

To identify with the normal bootloader

There are two methods to enter to bootloader with correct password:

  1. We can attach a debugger to the ~ROMUpgradeUt.exe and put a breakpoint just after it generates the password, so we can read the password from the process memory and connect to the bootloader after that having the correct password. The process to do it is described in this PDF file: [1]
  2. The algorithm that ROMUpgradeUt.exe uses to generate the password is now known: pass-generator reverse engineered.


unsigned long Crc32Table[256] =
{
0x00000000,  0x77073096,  0xEE0E612C,  0x990951BA,  0x076DC419,  0x706AF48F,  0xE963A535,  0x9E6495A3,
0x0EDB8832,  0x79DCB8A4,  0xE0D5E91E,  0x97D2D988,  0x09B64C2B,  0x7EB17CBD,  0xE7B82D07,  0x90BF1D91,
0x1DB71064,  0x6AB020F2,  0xF3B97148,  0x84BE41DE,  0x1ADAD47D,  0x6DDDE4EB,  0xF4D4B551,  0x83D385C7,
0x136C9856,  0x646BA8C0,  0xFD62F97A,  0x8A65C9EC,  0x14015C4F,  0x63066CD9,  0xFA0F3D63,  0x8D080DF5,
0x3B6E20C8,  0x4C69105E,  0xD56041E4,  0xA2677172,  0x3C03E4D1,  0x4B04D447,  0xD20D85FD,  0xA50AB56B,
0x35B5A8FA,  0x42B2986C,  0xDBBBC9D6,  0xACBCF940,  0x32D86CE3,  0x45DF5C75,  0xDCD60DCF,  0xABD13D59,
0x26D930AC,  0x51DE003A,  0xC8D75180,  0xBFD06116,  0x21B4F4B5,  0x56B3C423,  0xCFBA9599,  0xB8BDA50F,
0x2802B89E,  0x5F058808,  0xC60CD9B2,  0xB10BE924,  0x2F6F7C87,  0x58684C11,  0xC1611DAB,  0xB6662D3D,
0x76DC4190,  0x01DB7106,  0x98D220BC,  0xEFD5102A,  0x71B18589,  0x06B6B51F,  0x9FBFE4A5,  0xE8B8D433,
0x7807C9A2,  0x0F00F934,  0x9609A88E,  0xE10E9818,  0x7F6A0DBB,  0x086D3D2D,  0x91646C97,  0xE6635C01,
0x6B6B51F4,  0x1C6C6162,  0x856530D8,  0xF262004E,  0x6C0695ED,  0x1B01A57B,  0x8208F4C1,  0xF50FC457,
0x65B0D9C6,  0x12B7E950,  0x8BBEB8EA,  0xFCB9887C,  0x62DD1DDF,  0x15DA2D49,  0x8CD37CF3,  0xFBD44C65,
0x4DB26158,  0x3AB551CE,  0xA3BC0074,  0xD4BB30E2,  0x4ADFA541,  0x3DD895D7,  0xA4D1C46D,  0xD3D6F4FB,
0x4369E96A,  0x346ED9FC,  0xAD678846,  0xDA60B8D0,  0x44042D73,  0x33031DE5,  0xAA0A4C5F,  0xDD0D7CC9,
0x5005713C,  0x270241AA,  0xBE0B1010,  0xC90C2086,  0x5768B525,  0x206F85B3,  0xB966D409,  0xCE61E49F,
0x5EDEF90E,  0x29D9C998,  0xB0D09822,  0xC7D7A8B4,  0x59B33D17,  0x2EB40D81,  0xB7BD5C3B,  0xC0BA6CAD,
0xEDB88320,  0x9ABFB3B6,  0x03B6E20C,  0x74B1D29A,  0xEAD54739,  0x9DD277AF,  0x04DB2615,  0x73DC1683,
0xE3630B12,  0x94643B84,  0x0D6D6A3E,  0x7A6A5AA8,  0xE40ECF0B,  0x9309FF9D,  0x0A00AE27,  0x7D079EB1,
0xF00F9344,  0x8708A3D2,  0x1E01F268,  0x6906C2FE,  0xF762575D,  0x806567CB,  0x196C3671,  0x6E6B06E7,
0xFED41B76,  0x89D32BE0,  0x10DA7A5A,  0x67DD4ACC,  0xF9B9DF6F,  0x8EBEEFF9,  0x17B7BE43,  0x60B08ED5,
0xD6D6A3E8,  0xA1D1937E,  0x38D8C2C4,  0x4FDFF252,  0xD1BB67F1,  0xA6BC5767,  0x3FB506DD,  0x48B2364B,
0xD80D2BDA,  0xAF0A1B4C,  0x36034AF6,  0x41047A60,  0xDF60EFC3,  0xA867DF55,  0x316E8EEF,  0x4669BE79,
0xCB61B38C,  0xBC66831A,  0x256FD2A0,  0x5268E236,  0xCC0C7795,  0xBB0B4703,  0x220216B9,  0x5505262F,
0xC5BA3BBE,  0xB2BD0B28,  0x2BB45A92,  0x5CB36A04,  0xC2D7FFA7,  0xB5D0CF31,  0x2CD99E8B,  0x5BDEAE1D,
0x9B64C2B0,  0xEC63F226,  0x756AA39C,  0x026D930A,  0x9C0906A9,  0xEB0E363F,  0x72076785,  0x05005713,
0x95BF4A82,  0xE2B87A14,  0x7BB12BAE,  0x0CB61B38,  0x92D28E9B,  0xE5D5BE0D,  0x7CDCEFB7,  0x0BDBDF21,
0x86D3D2D4,  0xF1D4E242,  0x68DDB3F8,  0x1FDA836E,  0x81BE16CD,  0xF6B9265B,  0x6FB077E1,  0x18B74777,
0x88085AE6,  0xFF0F6A70,  0x66063BCA,  0x11010B5C,  0x8F659EFF,  0xF862AE69,  0x616BFFD3,  0x166CCF45,
0xA00AE278,  0xD70DD2EE,  0x4E048354,  0x3903B3C2,  0xA7672661,  0xD06016F7,  0x4969474D,  0x3E6E77DB,
0xAED16A4A,  0xD9D65ADC,  0x40DF0B66,  0x37D83BF0,  0xA9BCAE53,  0xDEBB9EC5,  0x47B2CF7F,  0x30B5FFE9,
0xBDBDF21C,  0xCABAC28A,  0x53B39330,  0x24B4A3A6,  0xBAD03605,  0xCDD70693,  0x54DE5729,  0x23D967BF,
0xB3667A2E,  0xC4614AB8,  0x5D681B02,  0x2A6F2B94,  0xB40BBE37,  0xC30C8EA1,  0x5A05DF1B,  0x2D02EF8D
};

unsigned long Crc32(const unsigned char *pData, unsigned long nSize, unsigned long nPrev=0) {
   unsigned long nCrc32=nPrev;//^0xFFFFFFFF;
   while (nSize) {
      nCrc32=((nCrc32) >> 8) ^ Crc32Table[(*pData) ^ ((nCrc32) & 0x000000FF)];
      pData++;
      nSize--;
   }
   //nCrc32 = nCrc32^0xFFFFFFFF;
   return nCrc32;
}

//By TheBlasphemer
void DecodeSecurityBuffer(unsigned char *szBuffer) {
   unsigned char pSolution[16];
   memset(pSolution,20,sizeof(pSolution));
   unsigned long nFirstCrc=Crc32(szBuffer,16,0);
   unsigned long nSecondCrc=Crc32(szBuffer,32,0);
   unsigned long nThirdCrc=nFirstCrc+nSecondCrc;
   memcpy(pSolution,&nFirstCrc,sizeof(unsigned long));
   memcpy(&pSolution[4],&nSecondCrc,sizeof(unsigned long));
   memcpy(&pSolution[8],&nThirdCrc,sizeof(unsigned long));
   unsigned long nFourthCrc=0;
   unsigned long i;
   for (i=0; i<12; i++)
      nFourthCrc+=pSolution[i];
   memcpy(&pSolution[12],&nFourthCrc,sizeof(unsigned long));

   for (i=0; i<16; i++) {
      if (pSolution[i]<'0')
         pSolution[i]='0';
      else if (pSolution[i]>'~')
         pSolution[i]='~';
      else if (pSolution[i]=='=')
         pSolution[i]='>';
      else if (pSolution[i]=='?')
         pSolution[i]='@';
   }

   memset(szBuffer,0,32);
   memcpy(szBuffer,pSolution,16);
}



To identify with the radio bootloader

TheBlasphemer has also written the function to Decode the radio password:

void DecodeRadioSecurityBuffer(unsigned char *pBuffer) {
   unsigned char pSillyStuff[]={0x1F,0x00,0x1E,0x01,0x1D,0x16,0x0A,0x0F,0x0E,0x08,0x03,0x19,0x06,0x17,0x11,0x0B,
                                0x0A,0x11,0x00,0x16,0x04,0x0C,0x1D,0x07,0x0F,0x1A,0x01,0x0B,0x0D,0x10,0x17,0x1F};
   unsigned char pTraditionalBuffer[32];
   unsigned short al=0;
   unsigned long i;
   for (i=0; i<32; i++)
      pTraditionalBuffer[i]=0xCF-(i*4);
   for (i=0; i<16; i++)
      pTraditionalBuffer[i*2]=pBuffer[pSillyStuff[i]];
   DecodeSecurityBuffer(pTraditionalBuffer);
   for (i=0; i<32; i++)
      pBuffer[i]=0xFF-(i*3);
   for (i=0; i<16; i++)
      pBuffer[pSillyStuff[16+i]]=pTraditionalBuffer[i];
}


First send =rtask a= to go into radio bootloader mode, this is the USB log after issuing this command:

000114: Bulk or Interrupt Transfer (UP), 31.08.2006 00:07:35.7489386 +0.0
Pipe Handle: 0x82f5ed34 (Endpoint Address: 0x81)
Get 0x18 bytes from the device:
 45 6E 74 65 72 20 52 61 64 69 6F 20 42 6F 6F 74   Enter Radio Boot
 6C 6F 61 64 65 72 0D 0A                           loader..


Then send =rinfo=. This should again give you a lot of data encapsulated in a HTCS-HTCE block.

Copy 32-bytes starting from offset 0x2B0 to a temporary buffer, and run it through =DecodeRadioSecurityBuffer()=. This new buffer now contains the radio password, but it is not a normal string.

To use it, send "=rpass \r=" (mind the space between =rpass= and =\r=), then send "HTCS" + the password + the CRC of the password as bytes + "HTCE". It should either return "T " for success, or "F " for failure (encapsulated in the HTCSHTCE block):

000889: Bulk or Interrupt Transfer (UP), 31.08.2006 00:07:39.9249434 +1.9928656
Pipe Handle: 0x82f5ed54 (Endpoint Address: 0x4)
Send 0x6 bytes to the device:
 72 70 61 73 73 20                                 rpass

000890: Bulk or Interrupt Transfer (UP), 31.08.2006 00:07:39.9249434 +0.0
Pipe Handle: 0x82f5ed54 (Endpoint Address: 0x4)
Send 0x1 bytes to the device:
 0D                                                .

000891: Bulk or Interrupt Transfer (UP), 31.08.2006 00:07:39.9249434 +0.0
Pipe Handle: 0x82f5ed54 (Endpoint Address: 0x4)
Send 0x4 bytes to the device:
 48 54 43 53                                       HTCS

000892: Bulk or Interrupt Transfer (UP), 31.08.2006 00:07:39.9249434 +0.0
Pipe Handle: 0x82f5ed54 (Endpoint Address: 0x4)
Send 0x20 bytes to the device:
 5C 4B F9 F6 43 F0 ED 7E E7 E4 30 7E 67 51 D5 49   \KùöCðí~çä0~gQÕI
 30 67 C9 C6 C3 C0 30 30 B7 B4 7E AE AB 7E A5 30   0gÉÆÃÀ00·´~®«~¥0


000893: Bulk or Interrupt Transfer (UP), 31.08.2006 00:07:39.9249434 +0.0
Pipe Handle: 0x82f5ed54 (Endpoint Address: 0x4)
Send 0x4 bytes to the device:
 56 4C A3 7A                                       VL£z

000894: Bulk or Interrupt Transfer (UP), 31.08.2006 00:07:39.9249434 +0.0
Pipe Handle: 0x82f5ed54 (Endpoint Address: 0x4)
Send 0x4 bytes to the device:
 48 54 43 45                                       HTCE

000895: Bulk or Interrupt Transfer (UP), 31.08.2006 00:07:39.9249434 +0.0
Pipe Handle: 0x82f5ed34 (Endpoint Address: 0x81)
Get 0x1 bytes from the device:
 48                                                H

000896: Bulk or Interrupt Transfer (UP), 31.08.2006 00:07:39.9249434 +0.0
Pipe Handle: 0x82f5ed34 (Endpoint Address: 0x81)
Get 0x1 bytes from the device:
 54                                                T

000897: Bulk or Interrupt Transfer (UP), 31.08.2006 00:07:39.9349578 +0.0100144
Pipe Handle: 0x82f5ed34 (Endpoint Address: 0x81)
Get 0x5 bytes from the device:
 43 53 54 20 20                                    CST

000898: Bulk or Interrupt Transfer (UP), 31.08.2006 00:07:39.9349578 +0.0
Pipe Handle: 0x82f5ed34 (Endpoint Address: 0x81)
Get 0x1 bytes from the device:
 20

000899: Bulk or Interrupt Transfer (UP), 31.08.2006 00:07:39.9349578 +0.0
Pipe Handle: 0x82f5ed34 (Endpoint Address: 0x81)
Get 0x1 bytes from the device:
 7F                                                

000900: Bulk or Interrupt Transfer (UP), 31.08.2006 00:07:39.9349578 +0.0
Pipe Handle: 0x82f5ed34 (Endpoint Address: 0x81)
Get 0x1 bytes from the device:
 DA                                                Ú

000901: Bulk or Interrupt Transfer (UP), 31.08.2006 00:07:39.9349578 +0.0
Pipe Handle: 0x82f5ed34 (Endpoint Address: 0x81)
Get 0x1 bytes from the device:
 C8                                                È

000902: Bulk or Interrupt Transfer (UP), 31.08.2006 00:07:39.9349578 +0.0
Pipe Handle: 0x82f5ed34 (Endpoint Address: 0x81)
Get 0x1 bytes from the device:
 D2                                                Ò

000903: Bulk or Interrupt Transfer (UP), 31.08.2006 00:07:39.9349578 +0.0
Pipe Handle: 0x82f5ed34 (Endpoint Address: 0x81)
Get 0x1 bytes from the device:
 48                                                H

000904: Bulk or Interrupt Transfer (UP), 31.08.2006 00:07:39.9349578 +0.0
Pipe Handle: 0x82f5ed34 (Endpoint Address: 0x81)
Get 0x1 bytes from the device:
 54                                                T

000905: Bulk or Interrupt Transfer (UP), 31.08.2006 00:07:39.9349578 +0.0
Pipe Handle: 0x82f5ed34 (Endpoint Address: 0x81)
Get 0x1 bytes from the device:
 43                                                C

000906: Bulk or Interrupt Transfer (UP), 31.08.2006 00:07:39.9349578 +0.0
Pipe Handle: 0x82f5ed34 (Endpoint Address: 0x81)
Get 0x1 bytes from the device:
 45                                                E


For full USB log of bootloader password and radio bootloader password donwload this file.


For more details see:



Back to the Hermes Home Page