Question: Does anybody found the "Master" password ?

[Lar-Sen]

It is a known fact that AES key needed to access EEPROM read/write without knowing the owner's password is 4AA5CC600312CC5FFFD2DABB6BBA7F92 . It's a factory backdoor. I'm curious about the genuine password which they make use of.

Some knowledge about the genuine configurator for UV-K5, PsCps.exe, has hints that there are some hashing function used here, but at first sight the correct algorithm remains unknown (for me).

Exported functions related to password hashing (in ss.dll) are:

ComputeMAC256(void *, __int16, int)
VerifyMAC256(void *, __int16, int)

these 2 ones invoke:
ComputeSHA256(void *, int, __int16, __int16, int)

then:
set_secret(x)

My skills at reverse engineering C# being close to null, if anyone here has a hint about how password (NOT power-on password, which is a more or less a PIN) gets encoded in EEPROM, I'd be very pleased to hear you :)

[Lar-Sen]

My findings so far:

set_secret(x) is in fact called at the very beginning. It seems that "ComputeMAC256" is their own try at a hashing function similar to HMAC/SHA256 algorithm. The result is truncated to 128 bits, then stored to EEPROM at address 0x0F30, to be used as an AES key later for the challenge/response algorithm. Seems secure, maybe overkill.

They mix (XOR'ed ?) a secret - which is 0x8E406920D0412A4D99586039F16420FB22E2918498FB2AB6655074FFF1B8F8A2 - (initialized via set_secret) , user-given password padded to 256b with 0x00, and a mysterious "xiaoxiao" string, padded with 'Z' character. Probably a static salt.

Next round calls Compute SHA256 2 times on these strings, but I didn't find which order is correct. I'm not so familiar with debuggers... It really looks like HMAC-SHA256 but it's definitely not.

Notes: xiaoxiao means 'small little thing', as 'not big but cute' :) Seems also a popular animation series. A hint about the fact they reused the DLL from another project: Debug symbols file is said to be "D:\Work\Repeater\sha256lib\Release\ss.pdb"