CP200 Password Hacking...

This forum is for discussions regarding all aspects of Motorola radio programming, including hardware, computers, installation and use of RSS/CPS, firmware upgrades, and troubleshooting. There are subforums for discussions of codeplugs, and also for software/firmware release notes and issues.

Moderator: Queue Moderator

Post Reply
1crazymax
Posts: 55
Joined: Sat Nov 10, 2012 3:01 pm
What radios do you own?: CP200's, CM300, Baofeng UV-5RC

CP200 Password Hacking...

Post by 1crazymax »

This is probably like beating a dead horse, but with all the searches I seem to find no new information, just the same info that's been floating out in cyberspace for a while. I'm not a computer genuis but I do alright, and I've purchased 3 used CP200XLS radios in good condition that are all mates. When I tried to read the radios they are password protected. I went through this about a year and a half ago and finally had to send one radio off to be hacked. I read in another forum that you can use Wireshark and since this is a Display radio it should be even easier to hack. I downloaded Wireshark and can't figure out how to get it to capture my Com 4 Port where my programming cable is. Then I read something to the effect that Wireshark cannot read USB in Windows just in Linux so I back to square one. Last year I was useing WinHex Hex Editor but really never new if I was reading the right stream. Short story long, Is ther ANY infomation out the that goes into more detail about how to Hack a Password in a CP200 series radio, something that might be explained in laymans terms? I'm just trying to learn something new that will be to my benefit. I know some times I get smart allic replies, since I'm not familiar with how to do this, I just ask them, did you wake up one morning and know everything? Any help, guidance, suggestions would be greatly appreciated. Thank you,

David
Al
Posts: 1045
Joined: Tue Sep 04, 2001 4:00 pm

Re: CP200 Password Hacking...

Post by Al »

So you want to bypass the password in the CPS in order to reprogram your CP200s. It would help if we knew which version of the commercial series CPS that you're using. If you tell us that, I or someone here will be able to help you use Winhex to locate the address of the string that you need to find and change.
1crazymax
Posts: 55
Joined: Sat Nov 10, 2012 3:01 pm
What radios do you own?: CP200's, CM300, Baofeng UV-5RC

Re: CP200 Password Hacking...

Post by 1crazymax »

My apologies, I'm using version R05.16 . The radios are CP200XLS , model AAH50RDF9AA5AN software versions (1) R03.04.02 (2) R03.06.02 (3) R03.07.01. FCC I.D. on all 3 radios is ABZ99FT4056. I hope this helps. If any additional info is needed please do not hesitate to ask. Thank you,

David
User avatar
SteveC0625
Posts: 467
Joined: Sat Jan 01, 2011 9:46 am
What radios do you own?: CDM's, CP's, CM's, and more

Re: CP200 Password Hacking...

Post by SteveC0625 »

1crazymax wrote:This is probably like beating a dead horse, but with all the searches I seem to find no new information, just the same info that's been floating out in cyberspace for a while. I'm not a computer genuis but I do alright, and I've purchased 3 used CP200XLS radios in good condition that are all mates. When I tried to read the radios they are password protected. I went through this about a year and a half ago and finally had to send one radio off to be hacked. I read in another forum that you can use Wireshark and since this is a Display radio it should be even easier to hack. I downloaded Wireshark and can't figure out how to get it to capture my Com 4 Port where my programming cable is. Then I read something to the effect that Wireshark cannot read USB in Windows just in Linux so I back to square one. Last year I was useing WinHex Hex Editor but really never new if I was reading the right stream. Short story long, Is ther ANY infomation out the that goes into more detail about how to Hack a Password in a CP200 series radio, something that might be explained in laymans terms? I'm just trying to learn something new that will be to my benefit. I know some times I get smart allic replies, since I'm not familiar with how to do this, I just ask them, did you wake up one morning and know everything? Any help, guidance, suggestions would be greatly appreciated. Thank you,

David
Here are my notes on the Commercial Series CPS password hack:

You can not do this with the CPS running. Be sure to exit the CPS. It's a good idea not to have a lot of other stuff running when you do this anyway.

Before doing anything further, make a copy of CPS.EXE and save it under a different name. That way you have the original, unmodified executable available to you. If anything goes wrong, you can always rename it back. I renamed mine to be cps-original.exe.

1. Open CPS.EXE in a hex editor. (I use xvi32, but there are other good ones. If you already have WinHex, you should be good to go.)

2. Search for the following: 85 C0 75 09 8B CE E8 (There should only be one occurrence of this in the entire file.)

3. Change 75 09 to 90 90

4. Write the modified file back into the original directory with the same file name.

5. Restart the CPS and read the radio.

6. When you get the prompt asking you to enter the password, simply hit <enter> - the codeplug will then be read into your CPS properly. You can modify as needed. Be sure to clear the password before writing back to the radio or set a new password if desired.

Note: This instruction set has worked on every version of the CPS since R05.13. It may work on older versions, but no promises.
Last edited by SteveC0625 on Sat Aug 23, 2014 7:15 pm, edited 1 time in total.
Al
Posts: 1045
Joined: Tue Sep 04, 2001 4:00 pm

Re: CP200 Password Hacking...

Post by Al »

No matter which hex editor you use, David, it should find the string that Steve listed above at address 0012B041 hex for R05.16. I mention this because it's only a double check showing that you've done everything correctly up to the search-and-find point.
1crazymax
Posts: 55
Joined: Sat Nov 10, 2012 3:01 pm
What radios do you own?: CP200's, CM300, Baofeng UV-5RC

Re: CP200 Password Hacking...

Post by 1crazymax »

Thanks a million, I'll get back with the results.

David
User avatar
SteveC0625
Posts: 467
Joined: Sat Jan 01, 2011 9:46 am
What radios do you own?: CDM's, CP's, CM's, and more

Re: CP200 Password Hacking...

Post by SteveC0625 »

Al wrote:No matter which hex editor you use, David, it should find the string that Steve listed above at address 0012B041 hex for R05.16. I mention this because it's only a double check showing that you've done everything correctly up to the search-and-find point.
Let me add that I spent many hours of internet searching and reading about this mod. My notes are a condensation of everything that I found. A lot of the info was right here on the batboard for reading. The biggest impediment to finding everything is that each inquiry was about a different radio within the Commercial Series and did not always mention the Commercial Series by name. So I had to search on CM200 and then on CM300 and then on CP150, CP200, CP200XLS and so on. Once I found as many threads as were going to surface, it was a matter of reading them, deciphering some cryptic (to me) wording, and then boiling it all down. The key turned out to be that the unique hex string that you search for has not varied, at least from version R05.13 on to the present. The individual hex characters that get changed have not varied beginning with far earlier versions.

A couple of keys points about the mod as described in my notes: First, the reader is expected to have a working knowledge of file naming and renaming, directory structure, copying files, etc. Secondly, the hex editor that I use, XVI32, is fairly intuitive to use and didn't take much of learning curve to figure out how to load a file, view it in hex or normal, search in hex, alter in hex, and then save the modified file under a different name. Since I have not worked with any other hex editor, I can not offer any tips or assistance there.

In reading over all of those threads, the biggest challenge for some folks seemed to be getting the proper location of the characters to be changed in each version. They move around based on whatever was added or deleted in each version. Once someone figured out the unique hex character sequence to search for, the mod got real simple, at least for the newer versions.
1crazymax
Posts: 55
Joined: Sat Nov 10, 2012 3:01 pm
What radios do you own?: CP200's, CM300, Baofeng UV-5RC

Re: CP200 Password Hacking...

Post by 1crazymax »

I feel your pain. I've probably spent a weeks worth of reading over the year or so just trying to teach myself. Here the update...I saved a backup copy of cps.exe to my desktop. Opened the regular cps.exe and my default hex editor is Hex Workshop, so I read it with it. I found the string you mentioned and changed 75 09 to 90 90 but then I couldn't figure out how to write it back into the original directory. After the last few days of reading about hex codes and hacks, it's made me realized just how dumb, for lack of a better word, I am. If I can get the updated file written back into the directory I should be good to go.

David C
User avatar
SteveC0625
Posts: 467
Joined: Sat Jan 01, 2011 9:46 am
What radios do you own?: CDM's, CP's, CM's, and more

Re: CP200 Password Hacking...

Post by SteveC0625 »

1crazymax wrote:I feel your pain. I've probably spent a weeks worth of reading over the year or so just trying to teach myself. Here the update...I saved a backup copy of cps.exe to my desktop. Opened the regular cps.exe and my default hex editor is Hex Workshop, so I read it with it. I found the string you mentioned and changed 75 09 to 90 90 but then I couldn't figure out how to write it back into the original directory. After the last few days of reading about hex codes and hacks, it's made me realized just how dumb, for lack of a better word, I am. If I can get the updated file written back into the directory I should be good to go.

David C
Under the File menu (top left corner of the window), there should be a Save As link. Again, I have never looked at WinHex, but if it's like 99.99% of other Windows programs, it should be there.
1crazymax
Posts: 55
Joined: Sat Nov 10, 2012 3:01 pm
What radios do you own?: CP200's, CM300, Baofeng UV-5RC

Re: CP200 Password Hacking...

Post by 1crazymax »

Roger the Save As. After I made the corrections I clicked on Save As and saved as cps.exe, I got a pop up this file already exsist do I want to replace I clicked yes. Opened up CPS and read the radio, got to password, clicked enter, got invalid password message. I went back to cps.exe and read it again and the original 75 90 was back in the stream.
1crazymax
Posts: 55
Joined: Sat Nov 10, 2012 3:01 pm
What radios do you own?: CP200's, CM300, Baofeng UV-5RC

Re: CP200 Password Hacking...

Post by 1crazymax »

I can't see that it would matter but i'm running Win 7 64 bit.
Bigfella237
Posts: 152
Joined: Wed May 02, 2012 11:30 am

Re: CP200 Password Hacking...

Post by Bigfella237 »

I am guessing you got into trouble using "Save As..."

If you have a backup of your original file quarantined somewhere, just open the CPS EXE file in WinHex, make your changes and try to close WinHex; it will ask if you want to save the changes, to which you say Yes, WinHex will close and it's job done!

Andrew

P.S. I forgot the most important thing, make sure the file is NOT "Read-only" before you start!

Simply right-click on the EXE file and choose "Properties", in the lower part of the popup window ensure the Attribute "Read-only" is not checked
1crazymax
Posts: 55
Joined: Sat Nov 10, 2012 3:01 pm
What radios do you own?: CP200's, CM300, Baofeng UV-5RC

Re: CP200 Password Hacking...

Post by 1crazymax »

I'm using Hex Workshop. In my original posting I said I had WinHex which I did. When I made the changes and tried to save it I got a message saying since it was a free trial I could not save files. So at this time I'm using Hex Workshop. Thanks Andrew I'll try your suggetions.

David
1crazymax
Posts: 55
Joined: Sat Nov 10, 2012 3:01 pm
What radios do you own?: CP200's, CM300, Baofeng UV-5RC

Re: CP200 Password Hacking...

Post by 1crazymax »

I open cps.exe and scan with Hex Workshop. I searched and found the stream with the 75 09 that I changed to 90 90, closed Hex WS and it ask me if i wanted to save changes and I clicked yes. But it still ask for password and enter will not bypass and when I go through the same procedure the 75 09 is back in the stream read by Hex WS???
User avatar
SteveC0625
Posts: 467
Joined: Sat Jan 01, 2011 9:46 am
What radios do you own?: CDM's, CP's, CM's, and more

Re: CP200 Password Hacking...

Post by SteveC0625 »

1crazymax wrote:I open cps.exe and scan with Hex Workshop. I searched and found the stream with the 75 09 that I changed to 90 90, closed Hex WS and it ask me if i wanted to save changes and I clicked yes. But it still ask for password and enter will not bypass and when I go through the same procedure the 75 09 is back in the stream read by Hex WS???
Try xvi32. It has worked flawlessly for me every time.

Just remember to keep the original cps.exe file somewhere safe and renamed so there is no chance of it being altered or used for now.

Make sure to save the altered file in the proper folder: C:\Program Files\Motorola\Commercial Series CPS and the altered file must be named cps.exe You can always look at the date/time stamp on the new file to make sure it's the one you want to be using.
1crazymax
Posts: 55
Joined: Sat Nov 10, 2012 3:01 pm
What radios do you own?: CP200's, CM300, Baofeng UV-5RC

Re: CP200 Password Hacking...

Post by 1crazymax »

Thanks Steve, I think I'll try xvi32. Right now when I go to Windows START in the find files and folders I type in cps.exe and then right click on it and I'm given the option to Hex Edit with Hex Workshop. After I install xvi32 I'll have to get you to tell me how to read the cps.exe file because it probably won't be in the options list when I right click the cps.exe file. I know when I had Hex WS and WinHex both installed, it only gave me the Hex WS as an option. I've since uninstalled the WinHex. I appreciated everyones help and patience, I feel like I've degressed today. I'm calling it a night and I hope everyone stays safe.

David
User avatar
SteveC0625
Posts: 467
Joined: Sat Jan 01, 2011 9:46 am
What radios do you own?: CDM's, CP's, CM's, and more

Re: CP200 Password Hacking...

Post by SteveC0625 »

1crazymax wrote:Thanks Steve, I think I'll try xvi32. Right now when I go to Windows START in the find files and folders I type in cps.exe and then right click on it and I'm given the option to Hex Edit with Hex Workshop. After I install xvi32 I'll have to get you to tell me how to read the cps.exe file because it probably won't be in the options list when I right click the cps.exe file. I know when I had Hex WS and WinHex both installed, it only gave me the Hex WS as an option. I've since uninstalled the WinHex. I appreciated everyones help and patience, I feel like I've degressed today. I'm calling it a night and I hope everyone stays safe.

David
Do it the other way around. Run your hex editor, click on File, then on Open and step through the directory tree to program files to Motorola to Commercial Series CPS and you'll find the cps.exe. Load it, edit it, and then save it.
1crazymax
Posts: 55
Joined: Sat Nov 10, 2012 3:01 pm
What radios do you own?: CP200's, CM300, Baofeng UV-5RC

Re: CP200 Password Hacking...

Post by 1crazymax »

This is driving me crazy. I started thinking last night when you mention something about the directory tree I might be doing it wrong. Still didn't work. I OPENED HEX WORKSHOP WENT TO FILE---OPEN---OS---PROGRAM FILES (X86)---MOTOROLA---COMMERCIAL SERIES CPS---CPS.EXE. Connected the radio and still could bypass the password. I went back and opened up Hex Workshop again, same procedure and the 75 09 was back in the stream. I tried to close Hex Workshop and it ask if I wanted to save changes to cps.exe and I clicked yes. Then I went back and changed it agin and trie File Save this time. When I did, the hex values changed to gray but still didn't work. I've got a few things to do here before it gets too late. I should be able to download xvi32 and use the same procedure as listed above without uninstalling Hex Workshop shouldn't I? If this keeps up your going to have to claim me as a dependent on your taxes. Again I really appreciate all of your patience.
David
1crazymax
Posts: 55
Joined: Sat Nov 10, 2012 3:01 pm
What radios do you own?: CP200's, CM300, Baofeng UV-5RC

Re: CP200 Password Hacking...

Post by 1crazymax »

I lied. The pressure was killing me so I installed the xvi32 and had a few issues until I Ran as an Administrator then hex code changed first time and I'm able to read the radios. Am I correct in assuming that from now own as long as I'm using this CPS, any time I read a password protected radio and the password box comes up, just hit enter to bypass? Finish reading, remove password or change, enter desired info, and write. If any else is reading this thread be sure to run the xvi32 as an administrator if not you will get an error saying can not change file.
Hers what I did...
Installed free version of xvi32...Opened up xvi32...Clicked Open top left and go through your directory tree until you get to cps.exe. My sequence was Open...OS...Program Files (x86)...Motorola...Commercial Series CPS...CPS.EXE . AT this point your screen will be populated with the cps.exe hex code. At the top almost center there will be a picture of the big magnifying glass, click on it. The FIND box will open up, make sure HEX STRING is checked. Type in 85C075098BCEE8 then click okay. Find the 75 and click one it and change it to 90 then change the 09 to 90, then you should be able to hit save and you'll be ready to go. You can also click on the picture of the small magnifying glass with 2 arrows on it. This will bring up the Find and Replace window. Be sure both HEX STRINGs are checked. In the top FIND box typre in 85C075098BCEE8 in the REPLACE box type in 85C090908BCEE8 and click REPLACE ALL answer OK click FILE... SAVE and you should be ready to go...I love learning new things. JUST A NOTE, IF YOU READ ALL OF THIS THREAD YOU SAW HOW I DIDN'T HAVE ANY LUCK USING HEX WORKSHOP OR WINHEX BUT THE XV132 EDITOR WORKED THE FIRST TIME, after I turned on my administrator priviledges. I'd like to greatly thank SteveC0625, Al, and Bigfell237 for all of their help and patience. Merry Christmas to all and to all a good night.

David C
User avatar
SteveC0625
Posts: 467
Joined: Sat Jan 01, 2011 9:46 am
What radios do you own?: CDM's, CP's, CM's, and more

Re: CP200 Password Hacking...

Post by SteveC0625 »

1crazymax wrote:I lied. The pressure was killing me so I installed the xvi32 and had a few issues until I Ran as an Administrator then hex code changed first time and I'm able to read the radios. Am I correct in assuming that from now own as long as I'm using this CPS, any time I read a password protected radio and the password box comes up, just hit enter to bypass? Finish reading, remove password or change, enter desired info, and write. If any else is reading this thread be sure to run the xvi32 as an administrator if not you will get an error saying can not change file.
Here's what I did...
Installed free version of xvi32...Opened up xvi32...Clicked Open top left and go through your directory tree until you get to cps.exe. My sequence was Open...OS...Program Files (x86)...Motorola...Commercial Series CPS...CPS.EXE . AT this point your screen will be populated with the cps.exe hex code. At the top almost center there will be a picture of the big magnifying glass, click on it. The FIND box will open up, make sure HEX STRING is checked. Type in 85C075098BCEE8 then click okay. Find the 75 and click one it and change it to 90 then change the 09 to 90, then you should be able to hit save and you'll be ready to go. You can also click on the picture of the small magnifying glass with 2 arrows on it. This will bring up the Find and Replace window. Be sure both HEX STRINGs are checked. In the top FIND box typre in 85C075098BCEE8 in the REPLACE box type in 85C090908BCEE8 and click REPLACE ALL answer OK click FILE... SAVE and you should be ready to go...I love learning new things. JUST A NOTE, IF YOU READ ALL OF THIS THREAD YOU SAW HOW I DIDN'T HAVE ANY LUCK USING HEX WORKSHOP OR WINHEX BUT THE XV132 EDITOR WORKED THE FIRST TIME, after I turned on my administrator privileges. I'd like to greatly thank SteveC0625, Al, and Bigfell237 for all of their help and patience. Merry Christmas to all and to all a good night.

David C
I'm glad it worked out for you. And, yes, once you have modified the CPS with this mod, it will work just fine with any future password protected radios that you encounter. When it asks for the password, just hit <enter> and keep on trucking.

On the very remote off chance that somewhere down the line, there might be a duplicate occurrence of that string someday in a future version, it's a wise move not to start with a global search and replace. I'd search only until I'm absolutely certain that the string only appears once in the entire cps.exe file. Then, and only then, would I modify the two characters and save the modified file.
1crazymax
Posts: 55
Joined: Sat Nov 10, 2012 3:01 pm
What radios do you own?: CP200's, CM300, Baofeng UV-5RC

Re: CP200 Password Hacking...

Post by 1crazymax »

Thanks a good point. I hope this fits my needs for a while. Would it be safe to assume like Al said just make sure it's at address 0012B41 or I guess they could rewrite the whole program. Oh well I'm good for now anyway. I'll probably sleep better tonight stuff like this I can't figure out drive me crazy. And again I can't thank you enough for your help. Have a good week,

David C
Bigfella237
Posts: 152
Joined: Wed May 02, 2012 11:30 am

Re: CP200 Password Hacking...

Post by Bigfella237 »

So the problem was that Hex Workshop was not saving your changes the whole time, any idea why?

I use (a licensed copy of) WinHex myself so I'm not familiar with Hex Workshop, was it an evaluation copy or freeware?

Andrew
Al
Posts: 1045
Joined: Tue Sep 04, 2001 4:00 pm

Re: CP200 Password Hacking...

Post by Al »

David, the address that I gave you is good for the R05.16 revision of cps.exe. That address may or may not change when you modify other versions of the cps file depending on whether the source code changed and which compiler was used when the binary file was created by M.
1crazymax
Posts: 55
Joined: Sat Nov 10, 2012 3:01 pm
What radios do you own?: CP200's, CM300, Baofeng UV-5RC

Re: CP200 Password Hacking...

Post by 1crazymax »

Okay thanks Al. I've been thinking about it and the first couple of times I tried xvi32 I got an error message saying I did not have the authority to change a file. Then about the third time a message popped up and ask me if I wanted to Run As An Administrator. I clicked yes and the next try it worked just fine. I'm wondering if that may have been the problem with WinHex and Hex Workshop, only difference being xvi32 was designed to throw up that window. I did some research about the Run As An Administrator thing, I was thinking it should be on all the time. What I found out is if you say right click on something like Google, while on that sight it also gives anyone I get in contact with the Administrator privileges too. I've got a CM300 in my truck I use sort of like a base when we go atving I guess this hack would work for any Commercial Series, CP, CM.

David
knightnblue706
New User
Posts: 1
Joined: Fri May 09, 2014 5:28 am
What radios do you own?: Moto XTL2500/XTS2500i/AstroSab

Re: CP200 Password Hacking...

Post by knightnblue706 »

I know this is an old thread but I had to thank everyone for the great info.....I tried it and it worked flawlessly!
Post Reply

Return to “Radio Programming”