Hello,

I built a hardware clone for parallel globetrotter dongle.

It is very easy to make a copy of an existing original dongle.

I can put several dongle IDs into the clone...

Is this helpful for reversing freaks ???

- Hubschrauber -

Howdy,

It is helpful for us "freaks".
I just have a question or two.

Do you need to have the "original" dongle ??
I know you say it is easy to make a clone of an existing dongle but,
If you have the original dongle, why build a clone ??

You will need to convince me how you can put multiple dongle ID's onto one clone and have it know what the hell is going on.

And of course the most important question, HOW MUCH $$$$$$

-obc-
(Hey man, I needs ta know)

Hi Woodmann,

the idea was to build a clone from an existing dongle to use one lincense on several PCs.
Because I am not a good reverser but a good mircocontroller and hardware specialist, I decided to do this in hardware.
On advantage of this solution is, it works with every software, no special reversing must be done !!!
You need the original dongle to read out the rom-data on rom-id and then store to clone.
But I don't need the dongle physically, everyone can read out the original and send the data to me !!!

At the moment I have stored 4 licenses on my handwired prototye dongle. Works fine !!!!
It is no problem to store up to 10 or 50 licenses to one dongle. The only thing is I need a bigger microcontroller or use a separate data-flash.

My question, why I put this info to this board, it is useful for reversing freaks ?
Maybe it helps when cracking FlexLm manager ???

How Much ????? Currently I am doing PCB stuff.... I will calculate it......

- hubschrauber -

It is interesting that you have the solution from the hardware aspect, but do not forget that Globetrotter do not use any query in checking the dongle, just the dongle id and the serial number of the dongle (btw it is a piece of cake to replace with other SuperPro key). It would be more challenging if you could read the content of every cell of the SuperPro from hardware point of view. I am interested in your implementation anyway, and it is great if you have succeeded in "cloning" the Globetrotter dongle.

Bye,
scorpie

Hi scorpie,
you are right, globetrotter security is a piece of cake !!!!
So it was very easy to build the clone. About a few houres to do !!
I use a ATMEL AVR for emulation.
BUT: It's a nice solution for NON-PROFESSIONAL-REVERSERS

Sorry, I have got no SuperPro Dongle !!
-hubschrauber-

Hello hubschrauber,
You are a professinal in your field (solutions from hardware aspect are rare in the message board), and could you more specific with the ATMEL AVR ? (which one ?). It is also great that without having the superpro you can clone it. Do you use the same sentinel driver for reading your "clone dongle" ?


Regards,
scorpie

Hello Scorpie,

my handwired Proto was based on a MEGA8.
Meanwhile a have finished the PCB for the first series (6 dongles), These Boards
are based on MEGA48/88 or 168, because of their low voltage range. They work from
1.8 V to 5 V !!! This is very important to run on Laptop-LPT-ports with only 3.3V.
The clone is powered from the LPT like "standard" dongles !!!
Drivers: I didn't change anything of the drivers, so I think it is the standards driver from macrovision/globetrotter.
-hubschrauber-

Hiya,

Forgive for I must have missed 60 minutes here ;-).

What exactly is a 'Parallel GlobeTrotter Dongle Clone'. AFAIK GlobeTrotter (of FLEXlm fame) support about 3 dongles (Aladdin/Sentinel and Dallas ifirc) via the FLEXID# license switch and its simply a read of the dongles ID, nothing more.

Which of these dongles does your 'Clone' support?, the technologies (protocols) used to read out the ID's of these 3 dongles are very different (h/w and s/w wise) and I'm pretty sure that FLEXlm uses the dongle vendors client library.

I guess what I'm asking in a nutshell :

1. What use is this? (aside from a cheap dongle replacement for legit FLEXlm clients).
2. How does it work (exact details here!) and which dongle(s) does it support? (i.e. which protocols have you implemented).

I think I speak for everyone on the board, when I say please post some details of everything you have done because there is considerable interest in this subject.

Regards

CrackZ.

HI CrackZ,

I can tell you what I know about the original dongle:
it is a "Globetrotter Dallas" connected via parallel port (LPT)
This type of dongle uses Dallas 1-Wire Protocol. Inside the
dongle there is 1-Wire-EEPROM with an unique ROM-ID (DS2505)
For connection to the LPT-port a DS1481 is used. This chip is a 1-Wire-Bus-Master
designed to run 1-Wire devices on the LPT-port.

My clone emulates the the DS1481 and the DS2505. The 1-Wire-Bus is designed
as a multi-device bus. So I can emulate many 1-Wire-Eeproms (DS2505) with my
ATMEL AVR-Controller.
To read out the original dongles you can use the Dallas I-Button Software TMEX,
from dallas/maxim homepage. Switch TMEX to DEBUG-mode and save file. This file
includes unique-ROM-ID and EEPROM data.
ROM-ID and EEPROM data I need to include in my controller source file and that's it !!

I think about to build a Copy-Software:
First connect original dongle, PRESS read out.
Second Connect empty clone, PRESS write to clone.

I hope this are enough details !?!?!

-hubschrauber-


-

As mentioned above, most of the people on this board have most of their knowledge in the software side of things. It's refreshing, interesting and valuable to have some hardware people/stuff like this here too, I hope you'll stick around and continue posting and contributing cool stuff like this hubschrauber.

Hello hubschrauber, crackZ and deLTA,

I am mistaken with having the impression that hubschrauber "clones" the superpro, and thank crackZ for pointing out other possibilities which Globetrotter support. It is clear now to me.

Hello TO ALL,

today I got the first 6 PCBs of the clone hardware....
... at the moment I finished soldering...
... programmed the AVR controller...
... checked with FlexLm ...

=> IT WORKS !!!!!

Where I can upload a picture of the clone ???
Has someone an anonymous server ????
Or can I send the picture to anyone by email, who can store to this server ???
Maybe woodmann or a admin could do this ???

- hubschrauber -

Cool. Maybe you can write a tutorial or something about it? That would be very nice and valuable I think, since this hardware stuff is kinda rare in most reversing communities like this one. Also see my PM.

Hi Hubschrauber,
I have been following this thread with great interest. I really enjoy the hardware aspect and was wondering what programmer is being used. Is it made by Atmel? Also, you may email the schematic to me if you wish
TIA,
horkey
horkey46@hotmail.com

This is very interesting. I didn't know cloning dongles could be this easy. What did you use to draw the PCB? If it's in protel format? Do you mind sharing one or two of your designs? I believe you can directly attach files to your post so you could attach a zipped file or something that we all can learn from.

Great work.

Ok, hubschrauber asked me to upload this image of his actual dongle clone to the board, and said he would provide further explanations then.

Please note though hubschrauber, that everyone can upload images to threads like this, simply attach it with the "manage attachments" button in your post, and it will be displayed like this in the post (only one image per post can be diplayed though if I remember correctly).

Explanation to the picture of the clone:
- on the upper and right there is the parasite power supply (diodes and caps), so the dongle can run directly from the LPT port.
- on the lower side there is a logic gate chip, it is used to run printers and scanners behind the dongle correctly.
- in the center ther iss the AVR with some connectors for testing.
- on the left side you can see the last modifications I had to do, because of compatibility to the original dongle and problems with some scanner behind the dongle.
=> so it will give an new pcb in near future without handwired connections.
- hubschrauber -

PS: I tested to upload the picture by myself...

Excellent Work !!!

The PCB looks quite clean and professional (even with some small modification); congratulation.

Do you mind to share the circuit ? Kindly let me know your PM.


Bye,
scorpie

For those of you that might think of getting into the hardware side of reversing (Homersux) and want to make your own PCBs for your project, i would recommend www.expresspcb.com

here is why,
free CAD software (windows based)
free schematic software (windows based)
you can save your design as a plot file for manual ordering.

and when you are done with your design, you simply connect via the internet or and upload your design... in 3-5 days and $60 you have 3 (3.8" x 2.5", a little bigger than a DB25 wide, but you can cut that down and in half to get two curcuits from one board) professional PCBs at your doorstep.... as this is all USA based, i do not know if they ship overseas or what payments they take besides visa, MC, etc. so it is worth a shot.

i already have a hardlock based PCB that works, and i am currently working on another dongle, have the prototype board done but have not worked out all the bugs from the code... these are emulators only at this time as tgodd can contest, the alogo is very difficult, and i have not figured it out yet (if ever). but the emulation works.

admins, if i have commited any wrongs here with my plug on the software i am using to make PCBs, i am sorry. i do not work for them nor do i know anyone that works for expresspcb.com.

hope this helps.

korvak

this first picture is of the Sentinel Super Pro.... the numbers on the sticker have been altered... but as you can see it is an ASIC type chip under a drop of glue. so you do not get much to go on when attempting to reverse engineer this puppy...

korvak

this second picture is of the Hardlock, this is the New style as it is using a "Microchip" PIC 16CE625, a 4 mhz crystal and a bunch of caps, diodes, and resistors to do two things... 1) leech power from the comm port, 2) create the pump-charge buffers to change the +-12 volts to TTL for the microcontroller and for the signals from the microcontroller to talk back to the computer over the serial port. i hope that these help some one out there.

korvak

expressPCB is ok for small project, but protel is more professional imo. I'd like to know if you guys can upload some schematic files of your hack for us hardware noobs to learn from,

korvak,

are you sure, that the second one (PIC-type) is for serial port ????
I think it is also for parallal (LPT) port.

-hubschrauber-

scorpie,
thank you for the praise, but doing pcb stuff is my profession.
Meanwhile I did further modifications, I added two connections from the controller
to the logic gates. This was necessary for some type of scanner to run in epp/ecp mode. So I think a redesign of the PCB with all handwired changes included should be done.
-hubschrauber-

hubschrauber , it could be for the parrellel port as well... i know that the one i have emulated works on the serial port... i use a MAX232a for its pump-charge funtions... as i only have access to these two dongles.. i do not have enough information to give you a definitive answer.. sorry... i can only tell you what i know, anything else would be an assumption and counter active.

as for the schmatics... they are all on paper, i will see what i can do to get you something... time permitting.

korvak

hubschrauber, it would appear that we are both right... i just went to thier website and pulled this from it

" Where can I connect Hardlock?
Hardlock is available for parallel and serial interfaces, as internal ISA and PS/2 bus plug-ins, as PCMCIA (= PC card) cards and for the brand-new USB interface. The user or software developer doesn't have to spend one second thinking about which interface he'll ultimately use. The Hardlock libraries automatically detect where a Hardlock is connected (only when used and operated on the serial interface does the system have to be informed)."

so there are alot of different flavors of this puppy out there....

oh, and i know this is a little late... but, yes in deed, nice PCB.... did you do the soldering yourself? and if so... was it with a soldering iron or a hot-air machine.... i can not find a soldering tip to get down past the SOIC level/805 component in size with out soldering pads and legs together.

korvak

korvak,

thank you for the information about the serial/parallel dongles.

Soldering: It is hand soldered with a Weller MLR21 solder iron.
I have experience in soldering over 25 years, I started when I was about 9 years.
(-> now it is possilbe to calculate my age, the first who replies a post with the correct age will win a washing machine).
It is no problem for me to solder fine pitch components (0.35mm) or 0603/0402 SMDs.
It a part of my profession to build very quick handsoldered prototype PCBs.
I drilled soldering in my youth, when I was building very smal bugs !!
-hubschrauber-

OK. I accept the challenge. 9 years of age plus 25 years makes you only 24 years younger than I am. Did I win, huh, did I, did I??? I need a new washer.

Damn find work all of you. Keep it comming.

Regards,

JMI,

yes you win !!!

-hubschrauber-

nothing realy new but as good old design example for the hardware 'freaks'
built around a Philips µC or ASIC (low power) with a small EEPROM and a few passive components, seems to not have own clock generation...

I think the attached AVI file is very interesting to all non hardware freaks...

It is no fake !!! I touch the DEVICE with the solder in my hand...
... and I am still alive !!!!

Who can explain this ????
- hubschrauber-

Cool. I'm waiting for an explanation too.

it looks like some HighVoltage and higher frequency school experiment in the real-life (i mean out of control ) or it has to do with insect-killing ??

greatz monguz
p.s. its cool man...

hi monguz,

you are right: high voltage and high frequency....
... is a special style of CCFL-converter you can find in every notebook backlight system.

This device makes power up to 50 W in the spark !!!
So the solder is melting.


I will go on holiday for 10 days...
... coming back on 30th september...

-hubschrauber-

here is the top and bottom images of the circuit i made with the expressPCB software... they are in the pdf format, i hope that everyone can view them. i could not get them to convert to a .jpg or another format. all i could do is print from the expessbcb application to the acrobat distiller...anyways, i hope this helps.....

so what are you looking at?

the top and bottom image are just that... the top and bottom of a two sided circuit board.... now i like bells and whistles, and i like versitility in my projects... so in this mess of pads and traces i have a microcontroller "U1", a rs232 converter (U2), a low drop-out voltage regulator (U3), a 64bit serial number chip (U4) and a real-time clock with 56 Bytes of nonvolatile ram (U5), this is a DIP PCB, the rest i have are all surface mount. i did not want to discourage anyone into thinking "i could never do that, the parts are so small....."

So... do you need all of this for emulating the SERIAL hardlock...simply put.. no.. all that is needed is the voltage regulator of some sort, the signal converter (for serial rs232/TTL voltage levels), and a MPU. so you ask yourself.... what is all this other crap then? well, i could never follow the KISS rule (keep it simple stupid, which accounts for many of my lost hours of sleep and thinning hair....) and when i designing something i get all these other ideas in my head of what else this curcuit could be used for ... hense the other two items that are not needed... i also tend to go with the most powerfullest MPU i can, the reason, is that when i set out to reverse something... there are way too many unknowns, remember you are trying to make something from hardware/software that alot of the time has been created at the hardware level (ASIC), and software is always slower than hardware at the core level... what do you mean?.. well for an example, you may have to use a set of software instructions that shift a datastream in and keep track of how many bits have been shifted in, then once you get those 8 bits to make a byte, then you have to have another set of instruction to move the byte, do some function on the byte, and set up for the next set of bits to be shifted in or out... all of this can easliy be done on the hardware/logic gate level..... still not sure what i mean... let me put it into numbers... take for example a 16x16 bit multiply function, on the same MPU @ 10Mhz, the software level will take a max of 254 Cycles (102.6 microseconds), on the other hand the hardware level will take a max of 36 cycles (14.4 microsoecond). i hope that did not confuse the hell out of you... anyways back to the why the most powerfullest MPU i can get... i would rather have the MPU idle then to have to rework my whole design and code to get a few extra microseconds out of it to meet the needs of whatever i am reversing to make it work... in the prototyping stage, i alway think more is better, when you go to finalization you can always scale back to what is really needed.

so the other two items are a 64 bit lazer etched serial number chip, why? well it allows me to keep track of my PCBs, as no two will ever be the same... i was messing around with 1-wire stuff a while back and liked it so it got put into everything i seem to do now.

the other item is a real time clock with a 32.768 Khz (color-burst) crystal with 56 bytes of non-volatile ram... this uses a 2-wire, bi-directional bus... it is good for time stamping if you are data logging or need time for some reason, and with the 56 bytes of non-volatile ram, you do not need to add an extra memory chip if you only need to store a very little bit of data... if you need more data space you can always add some of the newer serial eeproms or what ever you like, also some of the newer MPU have DATA EEPROM onboard.

well i hope this helps some, if you do not understand all of this... that is ok.. i do not understand all of the stuff you programmers mention... it is all about learning and what you really like to do...

korvak

I combined and converted the files to an uploadable picture, here you go:

Dear Korvak & others

Is any PCB avail for hasp4 lpt & usb locks?
How to access hardware like screet tables, hidden memo, Id?

Help on this suubject is highly appreciated

CaH

CAH,
i personally do not have any designs for the hasp, as i have not had a need for it... i would think that a parrellel/serial (which ever it uses) would not be hard to do... in the end... the dongle connects to a DB25 (not the usb device, of course) and from there by either direct connects from printer port to MPU or from a Serial port thru a rs232 converter to the MPU...

if you need help in developing this, let me know, i will help where i can... but to keep with the spirit of this BB, you have to put some effort into the project yourself...

here to help....

Korvak

Yes,
Here it is.

Where now is what now?

Dear Korvak

Thanks for your response on H4 PCB.
I am interested in this development.
How to start& What we need to start?

send me your mail id
CaH

CAH,

where to start?

well... now starts the leg work... and alot of it... start by reading the manual or SDK.... have you read the technical details yet? in specific, the pins/signals needed, then you need to get a logic analyzer of some sort to watch the signals...otherwise dont bother, you would be wasting your time.... does the SDK talk about the protocal or handshaking that goes on between the pc and the dongle? this is the first road block that needs to be figured out... how to talk to each other at the very basic level....how many pins are used? serial... one in, one out, clk, what? ... or parrallel, 8 bits every clk cycle....

after that watch your signals for patterns... here comes all the "paperwork", is the data being grouped (ie. data, pause, data, pause...), or is it a constant stream of data, then is it being sent LSB first or MSB first? once you figure this out, you can start to break out the command words and data, there is alot of informaiton on this BB as to what you are looking for...

once you have some of the cmd words and data structure... run an aplication and capture the data session on the dongle...

if you have plans on reuseing your dongle emulator for other projects, you can approach the software in the MPU from a modular design (cmd word response design) instead of a "i already know what it is going to ask next over and over, it is the same thing, so i will send it what it expects" i know this is confusing but look at it as a difference between a "Random" session and a "sequential" session... the random design take a little more work in the beginning, but it pays off in the end if you are going to use this for other projects.

now the real fun part... writing your code to....
1) talk to the pc
2) understand what the pc is telling your MPU to do? (sending cmd words)
3) sending the correct data back to the PC (response)
4) house keeping internally in the MPC (setting up the correct variables everytime and making sure your code does not do strange things)
5) recovery... what does the MPU do if there is an error in the protocal or internally... (stack overflow, stack underflow, brownout, reset, initial power up, etc... )

well this sould get you started on thinking of what needs to be done...

hope this helps.. let me know.

korvak

P.S. Sleep... who needs sleep? i will get all the sleep i need when i am dead

Dear Korvak,
Thanks for your response & reply.
Do you have any PCB designs for both hasp4 & sentinel with component details?
How to find Chips for ASIC, Sources & developing communication with PC?

CaH

cah, as i stated before in this thread, i do not have any PCBs for the Hasp type dongle, and i am currently prototyping a PCB (wirewrap at this point) for the sentinel SPRO, and as far as the component details... it is again nothing more that a microcontroller, power reg, some caps, resistors, glue components...... and i do not want to sound like i am not forecoming in information, but part of the fun is figuring out what you need to make this work.... so far i have not seen any real effort.... have you even put a scope or logic analyzer to your target? if so, what have you seen and figured out yet, reversing hardware is alot different then software, your just cant run ida or softice and patch the target... you really have to hook stuff up and watch your target...

as for "how to find the chips for the asic".... the easiest way i can think of is to go work at the manufacture as a janitor and "borrow" what you need... but really... i do not know of any way to find out what ASIC it is because 99% of the time the ASIC is "Proprietary", so you are not going to get your hands on it even if you do get a part number or find out what it is, so much for sources, i once call "phillips" about the "FAST" chip in the "hardlock" why? well if you look very closely at teh "FAST" chip you will see the "phillips" logo, and back then when i called, that was all i had to go on, needless to say i hit a stone wall ....

if you are wanting to know how to find an equivelant chip for the ASIC... like i said, i go for the most power i can get out of a MPU and then scale back when the design is done, if the need is there to scale back...ie, to reduce the power consumption due to a high oscillator, the other factor is what you are comfortable with, if you like Amtel, or Microchip, or Intel, or Scenix, or what ever you know how to use in the way of MPUs, then go with that... but there again you have some paperwork to do to find a chip that "might" but able to do the functions you are looking for... and if this is your fist attempt to use a MPU then you have a serious learning curve ahead of you, with the power that some of these MPUs have now, if you are new to this, it can take you weeks just to get the registers to "init" correctly so you can start the real work....

so now to your point of starting... "developing the communication"... are you attempting to hack the serial, parrellel, or usb flavor of the device?

read the specs on the PC port itself.... what are the hardware voltage and current levels, what pins do what? i do not want to sound vague here also but understand that the ports usually have slave chips that are designed to handle the port function and nothing else, so you can not take a serial port and turn it into a parrellel port by changing setup registers and think you are now going to get 5 volts out of an RS232 (+-12 vdc) compliant port...
now look at the signals on those pins, watch ALL of them... what order to do see data on them, and how often? is there a clock signal, or lack of a clock signal? what is the pattern that the pc send data to the target? only when you hit a certain function on the target program? or continuously?

and do some of the "ground" work so that you can step up to this table and we can hack forward....

Korvak