5.1 crack [DONE]

[munkustrap]

Hi Guys

old Topic new idea.

As far as I understood, the CPU reads the Brain Board ESN and checks if the licenses are valid.
So If we are able to send always the same ESN where we have the codes then the d8b is 5.1 open.

Now the Story behind that.
The d8b console boots with a small Firmware which is in the EROM on the brainboard. there also the ESN can be read out (I guess). Additional the CPU transmitts the real Firmware (its a hex file on the System). If this Firmware has also the possibility to read out this ESN, then it is also possible to Hack that file that it sends always the same ESN where we know the Authentification codes. The 5.1 then should be usable.

can somebody sniff the command for the ESN request? that would be helpful.
I just started to write a disassembler for the DSP in the brainboard. I already found two lines where the Program Memory is read, maybe there they read out the ESN.

best regards
Munk

[bitSync]

Hi Guys

old Topic new idea.

As far as I understood, the CPU reads the Brain Board ESN and checks if the licenses are valid.
So If we are able to send always the same ESN where we have the codes then the d8b is 5.1 open.

Now the Story behind that.
The d8b console boots with a small Firmware which is in the EROM on the brainboard. there also the ESN can be read out (I guess). Additional the CPU transmitts the real Firmware (its a hex file on the System). If this Firmware has also the possibility to read out this ESN, then it is also possible to Hack that file that it sends always the same ESN where we know the Authentification codes. The 5.1 then should be usable.

can somebody sniff the command for the ESN request? that would be helpful.
I just started to write a disassembler for the DSP in the brainboard. I already found two lines where the Program Memory is read, maybe there they read out the ESN.

best regards
Munk

So as I understand it, you're considering -

- Identifying the RS232 request and reply messages between the console and the CPU for brain board ESN.
- Seeing if the returned ESN from the console is in cleartext. If not, figure out how it is encoded.
- Consider implementing an overwrite function (in firmware or some other translator) of the returned ESN and code-resident unlock codes with known functioning values.

Is that about right?

So, do you have any clues about the RS232 command and reply for ESN, or would a sniffing contributor to the project be looking for his or her own cleartext ESN in the RS232 traffic?

[bitSync]

Or a custom-built firmware for the brain board?

[munkustrap]

I'm thinking of a custom build Firmware for the brain board.
The Firmware is uploaded by the CPU, therefore it is more easy to hack that the one in the EPROM.
If this Firmware (that is uploaded by CPU) supports the readout of the ESN, then it is possible to make a hack that always sends the same ESN (doesn't matter which is stored in the EROM). For sure it must be an existing ESN where we know the license keys. But then it would be the same keys for all d8bs.

I already hacked the Firmware to double the Baud Speed on the RS232, also the meterbridge command was hacked. So if this Firmware also transmit the ESN then it is possible to hack it. Only the effort is the question.

If we know the command to readout the ESN, then it is possible to vrify the hack (to see if the wanted ESN Comes back)

[Old School]

Hi Munk,
Of all the people who came to this stream promising great things, you are the only one who delivered. A long time ago I asked if it was a possibility to write new software for the D8B hardware & free us from this OEM ball & chain. Is this still something that you could or would do? With the ability to use any motherboard & 3rd party plugins, the D8B hardware would be a world-beater. I for one would be willing to pay over a thousand dollars for a new OS. Right now my studio is down, I can't find a console out there that I want to invest in. Is this a project that could be economically viable for you?

Have a blessed day in Christ,
Mike W.

[munkustrap]

Hi

yes it is a pity that many People have great ideas but promise things that they cannot fullfill (such things need time).
The 5.1. hack in the moment is just a thought, I'm not in the phase where I can tell you that it is possible to realise that.

Regarding a new Mackie OS, I will not do that. It is too much effort and I do not have the skills to make the whole DSP/Plugin stuff. There was a guy "Augusto" who announced an OS many months ago. I personally think that he really has the skills to do something like that. I don't know how far he is or if he has dropped the idea.
There is a Facebook site with nearly 0 activity.

Some time ago I had the idea to implement a Basic Audio function to the probox like Audio Routing , fader moves, mutes, solo, but no EQs and no Plugins. But that stuff is blocked by the amount of free time and the fact that I do not own a CPU to get all the commands for that.

best regards
Munk

[munkustrap]

Ok, so I think a got a Little more understanding now regarding the ESN. Maybe somebody that has the 5.1 OS with FX Cards and Plugins can give me an idea if my guess is right.

1. I guess the d8b ESN is not stored on the brain board ROM. It drives me crazy to find any ROM read commands in the hex code. but there are non that will Point to as ESN read. I thought that it is also not a good soltion to have a dedicated ROM for each d8b. Usually for this Kind of stuff an EEPROM or at least an EPROM is used. And I found it. It is placed on the I/O Card. The function of a PIC with EEPROM on the I/O Card is useless, so for what is it for? I'm pretty sure the ESN is stored there. Maybe a Person that has two d8b makes an Experiment and Exchange the I/O boards. would be interesting what happens with the licences. The I/O Card is connected with a data line to the brainboard, so the brainboard can read the ESN from the I/O Card.

2. does every FX Card has ist own ESN ? I think so.

3. May somebody who has a FULL d8b (all licenses with codes and ESN ?) please PM me if you are willing to send it.

thanks to all, I will stay on this Project, maybe there will be positive results

[anyhorizon]

The ESN is actually a unique small chip on the brain board. There is reference to it on these pages if you do a search.

Peter

[bitSync]

The ESN is actually a unique small chip on the brain board. There is reference to it on these pages if you do a search.

Peter

From the service manual -

Code: Select all

055-136-00 REV A, BRAIN BOARD -

PART NO.           DESCRIPTION         VALUE       REFERENCE DESIGNATORS
329-040-03         IC, SERIAL NUMBER   DS2401      U16


https://www.maximintegrated.com/en/products/digital/memory-products/DS2401.html

[munkustrap]

Hi bitsync

thanks a lot, that was a big hint for me !!!
I've overseen that in the schematics.

best regards
Ralph