Lucent silver to gold - Page 13

McHale · 04-27-2004

nah... I tried several different DOS disks (the one from Andrew's page, 98 boot disk, Dos 6.22, Dos 5.0). The problem is the 4.0 Card Version thing. I wonder what the hell that means anyway. Let me dig through my documentation to see what that means.

I wonder who I could contact to get that info if I don't have it. Avaya (or Agere) still own that.

I'll do the Windows 98 driver hack tonight. I have to ghost my HD off and install 98 from scratch so it will take a while. Stay tuned...

-Mc

lincomatic · 04-27-2004

oh well, i couldn't get winupdate to talk to the WPC11 drivers on Win98, so scratch that idea.

McHale · 04-27-2004

well, tested it in Windows 98 and it wouldn't let me install the driver. After loading MOST of the files, it forced me to use the windows default.

So that's a bust.

I think that confirms that the windows driver "hack" is merely an attempt and not a very successful one. Sure wish I'd have paid more attention in Systems programming class...

-Mc

lincomatic · 04-28-2004

OK, I did a lot of debugging thru WSU10810.exe tonite, and all it did was yield more confusion. Here is what I did:

1) used Trace Plus to spy on it during a firmware upgrade. I found that it did lots of ioctl 170002h to the driver.
2) next, I analyzed the EXE using IDA and found all calls to this IOCTL
3) I loaded the EXE using VC6 and unassembled it in the debugger.
4) I set breakpoints to all calls of the IOCTL from (1). It turns out the call at 402ED3h is the important one.
5) I hit the upgrade button and stepped thru the debugger. On the 27th call, the return buffer contains the PDA!!
6) I edited record 109 to make it look like a gold.
7) It puked on the altered PDA
8) back to DOS and using the gold-altered PDA, I flash -5v -vb -p new.pda to get it to calculate the new CRC
9) going back to the WSU, I edited both record 109 and the CRC. This time,
it didn't complain!
10) I checked my new firmware w/ the CM and

it still only allows standard WEP encryption

11) Finally, I entered the entire PDA from a gold card in step (9), and that didn't work either.

I don't understand...I fool the WSU into thinking it's seeing a gold card's PDA and it still doesn't like it. I think this is compelling evidence that the firmware in Lucent's WSU's really checks the PDA to enable 104-bit WEP

chaoscreator · 04-28-2004

on the flash-utility it gives a switch to try to programm direct the flash over the aux-port(?) ...
with this method we can write to the flash , but in flash.exe the flash-chip from the orinoco is unknown , but if we find out how this can do , so we can write the pda imo...

if this not runs , why we load not a primary 4.04 firmware to the ram and try to use this to flash ??
can anyone dump the primary 4.04 firmware or another firmware with we cna update the pda...

lincomatic · 04-28-2004

OK, I'm think I've wasted enough time on this. But here's a little more info. I recall that the cards I upgraded via the Airport 2.0.2 updater had firmware 8.12 in them. I just downloaded the updater again from Apple, searched for the string .HEX inside it, and sure enough there is the string T1081200.HEX inside it. strange how it has T for tertiary instead of S for station, but I'm pretty sure it's the right stuff. So if anyone can tell me how to tell the where the actual image begins and ends, maybe we can cram it into an existing WSU. Aside, from that, I quit!!

lincomatic · 04-28-2004

ok i lied...one more thing. attached is a program i made which reads the serial number and PDA. it doesn't currently do anything except demonstrate some driver ioctls by putting the data into a buffer. now if only we could figure out the proper ioctls to actually *write* the PDA instead of just reading it...
time for some much-needed shut-eye.

Madhadder · 04-28-2004

Geezzz

After 180+ repliess and over 9000+ views, I would have figured out by
now that just buying a gold card would be easier then trying this upgrade.
Much faster also..

Evil2000 · 04-28-2004

Quote:

Originally Posted by Madhadder

Geezzz

After 180+ repliess and over 9000+ views, I would have figured out by
now that just buying a gold card would be easier then trying this upgrade.
Much faster also..

Yeah, but using the tips in here, i patched my Artem Gold (13 channels) to 14 channels

My orinoco silver still is silver and 11 channels though

lincomatic · 04-28-2004

it's just a hacking obsession...
the means is what's interesting to me, not the end.

Quote:

Originally Posted by Madhadder

Geezzz

After 180+ repliess and over 9000+ views, I would have figured out by
now that just buying a gold card would be easier then trying this upgrade.
Much faster also..

McHale · 04-28-2004

I'd always wanted to do it and I have about 15 silver cards to upgrade!!!

There is a way... there HAS to be...

--Mc

McHale · 04-28-2004

have you seen this:

http://hackdaworld.dyndns.org/cgi-bi...wget.c?rev=1.2

or this:

http://hunz.org/hermesap.html

the first yanks the full FW out of the Windows updater...

the second does a lot with the hermes cards.

-Mc

Madhadder · 04-28-2004

Since these are the old Lucent Silver/gold cards and Marius used to work
for Lucents wireless dept. (I've heard) perhaps he can help, or can put you
in touch with somebody who can.. An "Inside man" if you will...

McHale · 04-28-2004

thanks for the info but I worked in Lucent's wireless dept to.

I already have all the development kits and technical docs and before the big layoff, had already prodded for as much info as I could get.

There's one development kit that's WAY old that they pulled that I don't have. I don't know anyone outside of Lucent that ever received it. It's the Utility Development Kit. They "superceded" it with a different kit but it's missing key info. From what I understand, if you didn't design the card and actually solder the damn prototype, you don't have the UDK.

-Mc

lincomatic · 04-28-2004

ok, i FINALLY got my program working. MUHAHAHAHAHAHAHAHAHAHA

It uses the windows driver to update the PDA. Incidentally, I did NOT have to run the firmware updater afterwards. After changing the PDA, I just unplugged the card and plugged it back in and logged into my 128-bit WEPped AP

04-27-2004	#182 (permalink)
lincomatic Squaaawk! WiFi! WiFi! Join Date: Apr 2002 Location: Tinsel Town Posts: 1,682	oh well, i couldn't get winupdate to talk to the WPC11 drivers on Win98, so scratch that idea. __________________ ~lincomatic

04-28-2004	#184 (permalink)
lincomatic Squaaawk! WiFi! WiFi! Join Date: Apr 2002 Location: Tinsel Town Posts: 1,682	WSU Explorations OK, I did a lot of debugging thru WSU10810.exe tonite, and all it did was yield more confusion. Here is what I did: 1) used Trace Plus to spy on it during a firmware upgrade. I found that it did lots of ioctl 170002h to the driver. 2) next, I analyzed the EXE using IDA and found all calls to this IOCTL 3) I loaded the EXE using VC6 and unassembled it in the debugger. 4) I set breakpoints to all calls of the IOCTL from (1). It turns out the call at 402ED3h is the important one. 5) I hit the upgrade button and stepped thru the debugger. On the 27th call, the return buffer contains the PDA!! 6) I edited record 109 to make it look like a gold. 7) It puked on the altered PDA 8) back to DOS and using the gold-altered PDA, I flash -5v -vb -p new.pda to get it to calculate the new CRC 9) going back to the WSU, I edited both record 109 and the CRC. This time, it didn't complain! 10) I checked my new firmware w/ the CM and it still only allows standard WEP encryption 11) Finally, I entered the entire PDA from a gold card in step (9), and that didn't work either. I don't understand...I fool the WSU into thinking it's seeing a gold card's PDA and it still doesn't like it. I think this is compelling evidence that the firmware in Lucent's WSU's really checks the PDA to enable 104-bit WEP __________________ ~lincomatic Last edited by lincomatic : 04-28-2004 at 03:41 AM.

04-28-2004	#186 (permalink)
lincomatic Squaaawk! WiFi! WiFi! Join Date: Apr 2002 Location: Tinsel Town Posts: 1,682	OK, I'm think I've wasted enough time on this. But here's a little more info. I recall that the cards I upgraded via the Airport 2.0.2 updater had firmware 8.12 in them. I just downloaded the updater again from Apple, searched for the string .HEX inside it, and sure enough there is the string T1081200.HEX inside it. strange how it has T for tertiary instead of S for station, but I'm pretty sure it's the right stuff. So if anyone can tell me how to tell the where the actual image begins and ends, maybe we can cram it into an existing WSU. Aside, from that, I quit!! __________________ ~lincomatic

04-28-2004	#188 (permalink)
Madhadder General "Noob Basher" Join Date: Apr 2002 Location: Munich, Germany Posts: 1,620	Geezzz After 180+ repliess and over 9000+ views, I would have figured out by now that just buying a gold card would be easier then trying this upgrade. Much faster also.. __________________ Legends may sleep, but they never die!!!!

04-28-2004	#193 (permalink)
Madhadder General "Noob Basher" Join Date: Apr 2002 Location: Munich, Germany Posts: 1,620	Since these are the old Lucent Silver/gold cards and Marius used to work for Lucents wireless dept. (I've heard) perhaps he can help, or can put you in touch with somebody who can.. An "Inside man" if you will... __________________ Legends may sleep, but they never die!!!!

04-27-2004	#181 (permalink)
McHale approved for all ages... Join Date: Apr 2002 Location: BFE Illinois Posts: 262	nah... I tried several different DOS disks (the one from Andrew's page, 98 boot disk, Dos 6.22, Dos 5.0). The problem is the 4.0 Card Version thing. I wonder what the hell that means anyway. Let me dig through my documentation to see what that means. I wonder who I could contact to get that info if I don't have it. Avaya (or Agere) still own that. I'll do the Windows 98 driver hack tonight. I have to ghost my HD off and install 98 from scratch so it will take a while. Stay tuned... -Mc

04-27-2004	#183 (permalink)
McHale approved for all ages... Join Date: Apr 2002 Location: BFE Illinois Posts: 262	well, tested it in Windows 98 and it wouldn't let me install the driver. After loading MOST of the files, it forced me to use the windows default. So that's a bust. I think that confirms that the windows driver "hack" is merely an attempt and not a very successful one. Sure wish I'd have paid more attention in Systems programming class... -Mc

04-28-2004	#185 (permalink)
chaoscreator Registered Member Join Date: Apr 2004 Posts: 31	on the flash-utility it gives a switch to try to programm direct the flash over the aux-port(?) ... with this method we can write to the flash , but in flash.exe the flash-chip from the orinoco is unknown , but if we find out how this can do , so we can write the pda imo... if this not runs , why we load not a primary 4.04 firmware to the ram and try to use this to flash ?? can anyone dump the primary 4.04 firmware or another firmware with we cna update the pda...

04-28-2004	#191 (permalink)
McHale approved for all ages... Join Date: Apr 2002 Location: BFE Illinois Posts: 262	I'd always wanted to do it and I have about 15 silver cards to upgrade!!! There is a way... there HAS to be... --Mc

04-28-2004	#192 (permalink)
McHale approved for all ages... Join Date: Apr 2002 Location: BFE Illinois Posts: 262	have you seen this: http://hackdaworld.dyndns.org/cgi-bi...wget.c?rev=1.2 or this: http://hunz.org/hermesap.html the first yanks the full FW out of the Windows updater... the second does a lot with the hermes cards. -Mc

04-28-2004	#194 (permalink)
McHale approved for all ages... Join Date: Apr 2002 Location: BFE Illinois Posts: 262	thanks for the info but I worked in Lucent's wireless dept to. I already have all the development kits and technical docs and before the big layoff, had already prodded for as much info as I could get. There's one development kit that's WAY old that they pulled that I don't have. I don't know anyone outside of Lucent that ever received it. It's the Utility Development Kit. They "superceded" it with a different kit but it's missing key info. From what I understand, if you didn't design the card and actually solder the damn prototype, you don't have the UDK. -Mc

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode