Simple unix busting
(the microphar dongle galore)

by Dr. Fuhrball
(6 November 1997)

Dongle cracking

Simple unix busting

by Dr. Fuhrball


modified 6 November 1997 



I have read all of the student essays, and none refer

to unix and only two refer to dongles. This essay refers

to both and indicates some techniques.



HISTORY:

The unix lineage for X86 based architecture goes back to

the original Xenix for 286 that microsoft produced back in

1983 with source code bought from AT&T for about 1 Million

dollars. About 6 months after the purchase of source code

from AT&T, AT&T started selling source code to anyone with

65 to 250 thousand dollars. Billy boy got a bit miffed and

split of the Xenix product to Santa Cruz Operation (SCO).

SCO has been producing Unix ever since. They have significantly

added to the line with networking from Lachman and Sun, and

X windows from MIT. SCO openserver 5 is a highly integrated

and slick product, but its fairly expensive too. If you are

at a University however you can get the product for virtually

nothing.



MAJOR NOTE: you need root password to do all of this.







The product in question is Aries which is a 3d graphics

package that runs on Sco openserver5. Similar to autocad

in function, its about 100 times more powerful. And about

5 times as expensive. It drives SLA's (stereo lithography

aparatus) directly. (argon ion laser writes on nasty

chemical which turns solid creating 3d shapes). It also

drives my hobby mill in the basement.



Anyway this program comes with a microphar (french) dongle

which is basically a few gates and a national semiconducor

eeprom nmc9306 (32 words). A lot of the dongles out there

use this part, because of its extremely low consumption of

power. Its serial 2 wire interface and open collector output

make it perfect for attachment to a printer port.



There are a number of ways to break this thing. Since I have

an MSEE (Master of Science, Electrical Engineering),

my first inclination is to hook up the logic analyzer

and look at whats going on. I have now seen at least 5 different

dongles that all use the national semiconductor eeprom, in various

creative ways, but its basically the same thing. The logic analyzer

trick certainly works, because you can see the entire data stream

and if you wanted to you could create a completely compatable device

which combined with a small software program would allow you to read

out all of the data, and then program it into your own device. However

the use of dongles tends to cause other problems, especially with

most new bi-directional laser printers. So the desire to remove the

device is preferable. The logic analyzer method relys on the fact

that there is really only one data output line, one clock line and

one data input line. The rest of the lines are either do not care, or

held in a high or low state to enable the device.



(The new Rainbow technologies software sentinel pro is just a fancied

version of same, with the addition of their 8 shift register with

adjustable feedback of old), 100% proprietary of course.



Of Course I also have a MSCS (Master of Science, Computer Science),

and that lends me to the software crack. Which is elegant because it

does not touch the origional aries code. And thats good, because the

main executable is over 10mb. And with their update of the month club,

you could be cracking this thing for the rest of your life. In addition

there are 6 different executables that would need cracking.

This crack once installed, lasts forever.



Back to the story;





When you install this program it adds a device driver that

talks to the dongle.



In all unix's, virtually everything is done with device drivers.

hard disk, serial ports, ethernet ports, the video display...

You can even access memory through a device driver.





Virtually all X86 based unix's today based on AT&T 5.4 code do

the following in exactly the same manner.

(SCO,Interactive, UHC, Consensys, Novell Unix....)

(BSDI and Solaris are different however but these tricks still hold)





running strings on Driver.o module in the /etc/conf/pack.d/mp shows

among others the following symbols.



(all unix drivers are stored in /etc/conf/pack.d/drivername and consist

of an object module and possibly a C tunables file called space.c)

(also on new unix's, these directorys are actually symbolicly linked

to somewhere else)



mpopen, mpclose, mpread, mpwrite...



So now we have the names to look at in kernel space.



Fire up adb on /unix and disassemble starting at mpopen and you get



(one of the nice things about unix is that you can always get to

kernel space, but be careful patching a live kernel)

The rest has been deleted for brievity

Anyway, its obviously C code, virtually

all unix drivers are. So lets dis-compile

the whole thing, which once you get the

knack, goes quite quick.



Also note that good C compilers generate code thats

so obvious that its easy to dis-compile.



Here is the dis-compiled code



It took about 3 hours with my favorite drink

which is 50 year old single malt north highlands

SCOTCH. I did have a bottle of real russian vodka

once, but in the USA, its virtually impossible to find.



Notice that its still in french. They did not even

have the brains to strip the debugging symbols out

of the final Driver.o module which made dis-compilation

that much easier.



One thing that makes this easier is that at any point

you can re-compile and compare to the original object

module. At some point they will both be the same except

for the compile date.

Whats going on here. A bunch of mucking around to hide

the real and trivial protection stuff. Also various

ands, ors, and inverts to further hide the data, plus

moving around more than the one data line and clock

line to the eeprom to throw off my Tektronix 7d01/df2

logic analyzer. (NOT)



Before going any further it helps to print out and study

this driver. It shows many things including the required

entry points, and functions that pass strings to and from

kernel space. Device drivers must pay strict attention to

memory and stack usage, as well as calling most intrinsic

functions. Thats why for example in the code below debugging

strings have to be written to the Common Error routine instead

of calling another driver. In virtually all cases one device

driver cannot call another.





Back to the story





Basically you write to the device driver a "P#####*"

and when you issue a read call you get an ascii string as the answer.



The ##### is an ascii number between 0 and 65535



for example P0*   P00*     P1234*





further example



cat >/dev/mp



type in P1234* 



hit a control Z



cat </dev/mp



5678





So now lets write a simple program which when compiled and

run with the output re-directed to the file "datafile"

generates all 64K possible output answers without having

to really figure out the entire thing.



The algorithm part of the software sentinel pro works in

exactly the same fashion. (Until you realize that its just

an 8 bit shift register with tapped feedback, then its easy)





What we are doing here is taking the simple way out. Instead

of figuring out the 32 words of data in the eeprom and then

calculating the masks, we just interrogate every possible

request and tabulate every possible answer. If this was a

32 bit number, this technique would not be practical.





Furthermore, if Aries actually wrote to the eeprom (which it

definitely does not), we would have to do a bunch more work.

The eeproms used in this device have a maximum write capacity

of between 10,000 and 100,000, and since aries interrogates the

device more than once a minute, writing to it is impractical.



Thus

which generates int data [] = {#,#,#,#.....}





Pretty simple huh. OH, and yes this takes a while

to run. (about 15 minutes)





Now lets hack the origional device driver removing

lots and lots of useless garbage. We cannot null out the

open and close routines, because they prevent re-entrancy.



Thus

Now we compile this thing, call it Driver.o, replace their driver

with our own (saving theirs someplace safe), relink and install

the unix kernel, and bye bye dongle.



To compile, install and link the kernel do;



cc mp.c -o Driver.o



mv Driver.o /etc/conf/pack.d/mp



cd /etc/conf/cf.d



./link_unix          (thats dot slash link underscore unix)



after rebuilding the kernel (takes about 5 minutes) it will

ask if you want to install the kernel as default.



Answer yes.



Then it will ask whether you want the environment rebuilt.



The answer here does not matter. But for example if you have

changed major and minor device numbers (which we have not) you

would have to answer yes, because device names in the /dev directory

would no longer be pointing to the right place.



Now reboot    (type init 0)    and you are done.





In addition, all the utilites necessary to break this come as

part of the operating system (use the crippled C compiler or get

GCC). This is unlike Windows95 where you need softice, wdasm,...



What we have seen here is that parallel port dongles used on

unix boxes give virtually worthless protection, far easier

than their dos/windows counterparts. They all fail the

freddy the freeloader part of the fiat-shamir zero knowledge test!



Matter of fact, a lot of things fail the fiat shamir test. Go search

the web, lots of good reading on this topic.





And while we are on the subject of fiat-shamir, the biggest failure

on this so far is the DSS-02 smart cards for the DSS receivers in

the USA market. The pirates are making way too much money selling

solutions that do not work for long. Look people it does not make

sense. Why give a pirate $500 for a T or L or Battery card, which

1.5 years later croaks permanantly, just to buy the latest twiddled

H card for another $500, and then buy the shim card for another 500.

Its way cheaper to legally subscribe (Canada is a different story).

This is something that needs to be brought to the grass-roots level.

The latest card is way to easy to twiddle. Lets put the people that

are strictly in this for the money out of buisness. We know who you

are. I personally do not have a DSS, and because i have a REAL dish,

I am not likely to ever get one. (4dtv is another story). And since

I live in the USA, I will NOT get involved in DSS activities...







Soon will come an essay on the Rainbow Technologies Software

sentinel superpro. Which can also be busted numerous ways.

And just slightly harder. I now have a virtually 100 percent working

programable hardware solution. And yes you can read the algorithm

and time keys out of the device. Although you can certainly crack

this via the software methods, or replace their driver with another,

A downloadable version of a hardware emulator can make this quite

easy to use.



Also an essay on breaking protection on the EESOF (now hp)

touchstone, montecarlo, linecalc and other high priced spreads.

hint( one cmos 8 bit eprom size >128 bytes, 8 diodes, one cap,

one cmos buss transiever). The hardware solution here was just

too simple to ignore.





Other fun targets. The protection DEC uses on their unix that runs

on the alpha motherboards. This one could be fairly tough.



Other fun targets: serial dongles (like netsentinel). Almost as

easy, you have to create a shim between the program and the real

tty driver...





       later            Dr. Fuhrball

(c) Dr. Fuhrball. All rights reversed