How to reset hacked 6x16 DR5 Config Password??

[JasonDB]

A system I installed was recently hacked and along with scrambling the line settings and set names (which were changed to -lovely- words...) the perp changed the admin and config passwords.

I have tried shorting out the onboard battery & caps and powering up without the software installed, with no luck. I attempted the **DEBUG procedure, but I get the message "Access Denied" when I enter **DEBUG.

Am I doing something wrong during the **DEBUG process? Does it have to be done from a certain set? I set the date to 2-1-91, no specific time before trying that process. The system does not have RAD and I do not have RAD available.

Thanks in advance!

Jason Bruler

 

[Arr]

Jason,
A rad won't help with a 6/16. The capacitor you need to short out is in the software cartrige. Do that and you won't have further trouble.

PhM

 

[JasonDB]

Well, I got into DEBUG (note to the future: It can only be accessed from a 7310 type set) and @ 080AA0 I end up with:

08E8 0000 000A 7C1A 302D 000C 41BC 00FF

I understand about crossing out the first zero, but does "every other one until you get to alpha digits" mean that I should stop at the E in the first segment?

Thanks again!
Jason

 

[exsmogger]

Sounds like you aren't in the correct memory location for the config password. If the password was at default you would see something like the following:

0206 0603 (Press NEXT)

0404 0000

As Arr suggested, the easiest thing to do would be to short the cap in the software cartridge and default all programming. Brian Cox
J & J Communications

http://www.jandjcommunications.com

brian@jandjcommunications.com

 

[JasonDB]

I'm sure I was in the correct/given memory location, I tried it 5 times!

Can anyone verify the 080AA0 memory address? Particularly, anyone with a 6x16 DR5 system with a known config password...

Thanks,

Jason

 

[exsmogger]

616 DR5 is 0B0AA0
616 DR5-DS is 300AA0
616 DR5.1-DS is 300B2C

Maybe you have a DS control unit? Brian Cox
J & J Communications

http://www.jandjcommunications.com

brian@jandjcommunications.com

 

[phonebiz]

I just checked on a default password for a 616 DR5 non DS and the password was under 080B2C.

Steve

 

[JasonDB]

Steve - Thanks, I'll check that address tomorrow. It's not a DR5DS system, but just in case someone transposed the addresses in the FAQ I tried the DS address already anyway, it doesn't work: "Bad Address"

Brian - You have 0B0AA0 for the address, as opposed to 080AA0? Someone needs to fix the FAQ once this is figured out!

Jason

 

[executone]

JasonDB,

Let us know so I can fix it. That is what I had wrote down in my notes, but I have been wrong before.

Thanks and Good Luck!!

 

[exsmogger]

I don't have a 616 here to try it on, but the list of memory locations I have does show 0B0AA0 for DR5. Brian Cox
J & J Communications

http://www.jandjcommunications.com

brian@jandjcommunications.com

 

[executone]

Thanks guys, I just corrected the FAQ. Sorry I gave bad info. I cannot read my own writing.

Thanks again!!

 

[JasonDB]

Arrgh. This is frustrating the heck out of me! This is definitely a DR5 non-DS system. On memory dumps:

at 0B0AA0 I get:

FFAF 72ED 6EE3 6BFF

at 080B2C I get:

45ED 2C5F 205F 4FEF

I don't mind scrolling thru the memory to find the password if I have to, but I need to know what I'm looking for (and an idea where to start!)

Will it ALWAYS look like:

0x0x 0x0x (next) 0x0x 0000 ('x' representing digits of the password)

or can it vary like:
0x3x AxEx (next) 1x0x 0000

Since someone else supposedly already found their password at a different address, can anyone verify where to acutally look?

Shorting out the cartridge capacitor is my last option, there is very little down time available on this system, which has a lot of custom restrictions for different lines and sets, and it'd have to be done in the wee hours of the morning!

Thanks!

Jason

 

[Roldan]

Jason,

I'm not sure of the address for this one, but phonebiz posted the address of 080B2C you may want to try it. What you will see is ###### (# represents address):0X0X0 0X0X press next ######: 0X0X 0X0X. Yes the X's do represent the password keep in mind the password does not have to be 7 digits long I've seen them changed to 3 digits passwords.

Good Luck

 

[phonebiz]

My system version is 30MKM10 DR5 (Non DS). According to executone's FAQ on software versions the MK means that the KSU type and software version is CDR4 Class Eng/Sp. Apparently each version, even within DR5, has a different address. I think you are going to have to scroll. The following may help you though.

My address is 080B2C.
The following info is listed:
02060603040402030604060FEFFF
I assume that you can get into Admin programming since you were able to change your date. The above string includes my config address of 266344 and then continues with the admin password of 23646 and then a string of letters.

I recommend you start scrolling and look for your admin password. The numbers in front of it should be your config password.

Good Luck!!

Steve

 

[dliss]

I ran into the same problem with a clients site, however I am not familiar with the **debug command....what is the password to access that?

 

[exsmogger]

We finally got in a 616 DR5 and I did find the config password starting at memory location 080AA0. The sheet I had showed 0B0AA0 which is WRONG! Just wanted to update y'all on what I found. Regards. Brian Cox
J & J Communications

http://www.jandjcommunications.com

brian@jandjcommunications.com