MicroHacker Forum

Online community for electronics and microcontroller reverse engineering
https://microhacker.denkdose.de/

Unlock FX after 3 wrong PIN attempts

https://microhacker.denkdose.de/viewtopic.php?t=193

Page 1 of 1

Unlock FX after 3 wrong PIN attempts

Posted: 20 Jul 2020, 18:56
by Go4IT
Today i try to get where FX is storing "the wrong PIN entered" counter to find out how to recover it from there.
First i only test how it could be made after entering 3 times the wrong PIN. I know after 9 times it should be locked completly, but as this tooks days to run it, i don't think i will test this ;-)
My test setup:
- Update FX with latest firmware to have a fresh Flash ;-)
- Dump the unmangled flash
- Enter wrong PIN #1 => Dump flash
- Enter wrong PIN #2 => Dump flash
- Enter wrong PIN #3 (displays "Device locked for 1 hour") => Dump flash

1. Test
Write wrong PIN #2 flash back onto device => Device unlocked, can enter another PIN. Oh man, that was too easy ... :lol:

Now i examine the Flashdumps to find differences...

Re: Unlock FX after 3 wrong PIN attempts

Posted: 20 Jul 2020, 22:03
by Go4IT
Ok, one step further. I narrowed the are down by using a binary-tree approach and found out that area 0x01C0 0000 - 0x01DF FFFF must contain the searched information. When i write only those sectors back from a dump which was not locked, i will be prompt to enter PIN again. When i try to bintree-divide this area and only write back 0x01C0 0000 - 0x01CF FFFF or 0x01D0 0000 - 0x01DF FFFF the unit won't boot up. Seems like it crashes internally.
A simple binary compare of this area between the dumps taken unfortunately gives too much diffs.

Re: Unlock FX after 3 wrong PIN attempts

Posted: 17 Apr 2022, 11:53
by Go4IT
Like written above, the PIN-Lock information seems to be somewhere in the Flash area 0x01C0 0000 - 0x01DF FFFF. If i just erase this area (which in Flash-terms means all bytes are set to 0xFF) the unit won't start again. But if i copy over this area from an image which meets the type (e.g. if it was 8S7T-...-AE, take the area from an equal partnumber image), it first seems to be bricked also, but after some minutes (2-4) it suddenly come back to life.

Maybe one of you guys retry this and we may find out what is inside this area and maybe find the single bytes denoting the lock. As it is also a lock time, the data in this area should change from minute to minute, but only if IGNITION is send via CAN, because otherwise it won't count down the time internally.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited