Cracking the password of ICOM's RP2C controller

Karel Julis, OK1UHU, ok1uhu@qsl.net

Well, couple of days ago appeared on my desk ICOM's RP2C D-Star repeater controller box, brougt to me by my friends from OK1KZE with a complainment - the box cannot be configured from network, the bundled software says "No reply from controller". But otherwise, the box runs and controls the radio boxes! Challenge to help them.

First, I tried to google, google and google (even I felt totally lost). Waste of time, don't repeat such a mistake. ICOM does not publish anything useful about their products, except user manuals, written for real dummies (I think that's a rule at this company). OK, let's write a question to ICOM's representative. Really funny game for strong personalities.

After a couple of mail exchanges, where I repeatedly sent them a detailed description of a problem, ethereal dumps etc. and begged for some way to reset firmware defaults, I always got a reply saying "check your IP, check password" and similar such a really useful information. I gave up on ICOM mailing to protect my psychical integrity and realized: I am only on my own.

After a couple of tests I discovered, that the communication runs on UDP, and the software should send a communication initiate packet, carrying the login command with the right password. Otherwise, the controller generaly does not send any reply - thus, you don't know, if there is a wrong password, or wrong port number, or something else. Realy good idea from the SW designer in a case of radioamateur product. Anyway, remember, the ordinary ping checks only ICMP way, nothing more! You cannot SYN-check the ports, because of the nature of UDP. For now, let's believe, we have the right port number.

At this point, an vocabulary attack could be used, if you are sure about the UDP port. I was not (there were some other people playing with the box before me), thus, I looked for some other way to get into the controller's head.

After a couple of next days, I got a message from Jirka, OK2BKR, communicating this my problem with Jann, DG8NGN. And voila - Jann sent to us a service manual for the controller, thus, there could be found an internal serial port on the board. Jann found, that the communication runs on 9k6,N/8/1, RTS/CTS handshake. Jann has also some basic experience with the communication at this port. Looks promising.

Well, serial cable built, connected to J6 of the controller.

Onboard pin numbers, wire colors, meaning, DB9 pins:

1, green, RTS from ctlr., 8
2, orange, data from ctlr., 2
3, red, data to ctrl., 3
4, blue, CTS to ctlr., 7
5, black, ground, 5

The port uses ordinary RS-232 levels, no TTL nor CMOS etc.
No level convertor needed!

I use minicom, set the serial format, described above, very useful is to set a local echo on (CtrlA-E) and LF append (CtrlA-A). Be comfortable to yourself. Now we can test the connection (Jann's suggestion):

fdST:x001
brST:x001=00000002
As far as I know, the packets, going TO the controller (yellow ones), should start with "fd", the replies (cyan) do have "br" signature. Dunno why, but that is the fact. Next, they carry two-letter command code and parameters of it, separated by colon (hope so, it looks so). If you think you can find the protocol description somewhere in the internet or even at the ICOM's support pages, again - gosling, forget about it.

Thus, I wrote a script, offering the command codes AA to ZZ to the controller and recording the answers. And ...

fdPW
brPW
mypass
Well, well, well. The command PW (surprising code, don't you think?) dumps the actual system password, even in a human readable form!!! The next step is now boring easy:


Enjoy.

For a conclusion, let me have one question - is it soooo heavy for the ICOM's representatives to describe such a simple solution to the ham abroad, instead of "otherwise, we have to have the controller back here (in Jap?) to check in detail" reply? I do not think so - but I am not an employee of ICOM.

Thanks to all "good guys" Jann and Jirka ...