Headset bought in 06/2011 not working properly about emokit HOT 8 CLOSED

Hi,
I figured out the key for my consumer headset version 1.5.1.

The key is:
const unsigned char HEADSET_151_KEY[KEYSIZE] = {0x4D,0x00,0x47,0x54,0x38,0x10,0x31,0x42,0x4D,0x00,0x47,0x48,0x38,0x00,0x31,0x50};

In C library, epoc_open() function call must be changed from epoc_open(d, EPOC_VID, EPOC_PID, 0) to epoc_open(d, EPOC_VID, EPOC_PID, 1) to connect and work properly.

Please add to master branch, if you like to.

Best, E.

from emokit.

Here is detailed howto for figuring my consumer key:

• Download OllyDbg http://www.ollydbg.de/
• Download SnD Crypto Scanner (http://www.woodmann.com/collaborative/tools/index.php/SnD_Crypto_Scanner_%28Olly/Immunity_Plugin%29) and copy OllyCScan to Olly directory (version 0.4b)
• Run OllyDbg
• Open F3 EmotivControlPanel.exe (do not run debugging yet)
• Run OllyDbg plugin -> SnD Crypto Scanner
  • Perform Scan
  • MD5, Rijndael (Sig 1) and Rijndael (Sig 2) should be found
  • Keep SnD Crypto Scanner Window open
• Run debugging of EmotivControlPanel.exe (F9)
• EmotivControlPanel should completely start, display window with brain and be receiving data
  • no need to have headset properly positioned
• Switch to SnDCrypto Scanner window
  • Click on Rijndael (Sig 2) then on line in lower window (Signature e1f898...), then click Set Hardware Breakpoint
• Debugger should almost immediately break at some instruction (e.g., SHL EDX,8)
• Scroll up until sequence of INT3 opcodes is found
• Put breakpoint (F2) to first instruction below INT3 sequence - this is the start of function manipulating key
  • we now have begin of the function manipulating with epoc key
  • you may remove hardware breakpoints now (will break on normal breakpoint at the beginning of this function)
• Resume debugging (F9)
  • should break almost immediately
  • step over (F8) unless first CALL instruction is found
  • step into (F7)
  • this function is strange, doing memset on NULL param and free (NOT what we are searching for)
  • continue (F8) to second CALL instruction
  • step into (F7), you should see memcpy and memset calls disassembled in OllyDbg window
  • step to part where memcpy function arguments are prepared (PUSH instruction)
  • n should be equal to 0x10 (16B) - number of bytes in eopc key
  • src should point to buffer with epoc key
  • read buffer address (OllyDbg will show that or see value of corresponding PUSH parameter)
  • switch to Memory dump window, RClick->Goto->Expression
  • type buffer address (or parameter of PUSH)
  • read epoc key (16 bytes) from Memory dump window
  • {0x4D,0x00,0x47,0x54,0x38,0x10,0x31,0x42,0x4D,0x00,0x47,0x48,0x38,0x00,0x31,0x50};
• Insert your headset key into Emokit software (https://github.com/qdot/emokit)
• Change last parameter of epoc_open to 1 instead of 0 (epoc_open(d, EPOC_VID, EPOC_PID, 1)) in main()

from emokit.

Nice! I'll add this info to our readme, and add the key to the code. Thanks so much for finding this!

Will close this out myself once I get those two things done.

from emokit.

Many thanks for maintaining this software - good work!

from emokit.

Thank you qdot for the work on EPOC.

Are there any news concerning eskel's problems while using the Python script?

I tried to run the filter = hid.HidDeviceFilter(vendor_id=0x21A1, product_name='Brain Waves') command in Windows, but the list is always empty, even when I remove the "Brain Waves" name. I tried the same thing in Linux, but it seems that there's no problem.

Can I somehow get rid of this problem without having to use Linux?

Thanks for your time

from emokit.

eskel,

Thank you for the step by step instructions on how to get the key! I was finally able to get my headset working with the emokit. My headset is pretty much brand new, so I wonder how often they're changing the key now...

from emokit.

Just wanted to let you know, I am keeping an eye on this, but I'm so massively swamped in other projects right now that I probably won't be able to update things for a while. If anyone who forked wants to add documentation, keys to code, etc..., please feel free to pull request and I'll try to bring things back in. I've talked to Daeken a bit about trying to figure out the key gen stuff once and for all, but, well, we're both kinda in the same situation time-wise at the moment.

from emokit.

Key crack now in repo.

from emokit.