obsolete Pro/ENGINEER, aka Pro/E, Unix

[amyk]

Pick up some RE skills and have a crack at it (literally)...

[legacy]

eheheh, in first place I have to understand the strange error I get
I wonder what is wrong if I have reprogrammed the EEPROM
so the hostid is equal to my died machine

[legacy]

I wonder if ... someone has already reversed the hash algorithm used by FlexLM v=<5 

[suicidaleggroll]

You could always set up a VM with a MAC that matches your old system, then use that to run all of this old software you can't update to the new machine.

[legacy]

You could always set up a VM with a MAC

not possible on IRIX

[kmike]

You could always set up a VM with a MAC

not possible on IRIX

Hi,

as far as I can remember, flexlm only checked the hostname and the MAC address (they were in cleartext in the license file). As for changing the MAC address, You could look on the network card, it was stored in a serial eeprom on most of the old network cards. Maybe this forum topic could help:

hXXp://comp.sys.sgi.admin.narkive.com/by8lqEGp/how-to-change-mac-address-on-o200-irix6-5-8

br,
mike

*edit:typos

[legacy]

as far as I can remember, flexlm only checked the hostname and the MAC address

the Irix kernel is different for every machine, IP32 is different from IP30
therefore that method doesn't work, I mean it works only for a few machines

in fact we have different hacks

anyway, a better idea is to change or reprogram the chip which assigns the mac-address
again, it's different from IP32 to IP30, in the last case it's a 1wire chip by Dalsemi
on IP28 it's a EEPROM 96xx, etc

there is an other problem in reprogramming the MAC: IRIX has a lot of licenses to be satisfied
in my case I have the CFS-XVM mirroring and Impressario, both of them are node locked to my MAC
if I change the MAC in order to run Pro/E … I will lose them

ergo, one (not saying me) has only two ways

• generating a valid license, by fishing the 5 keys inside flexlm
• cracking and patching flexlm

oh, the first one is the most elegant and less invasive, but it's ONLY possible with flexlm v1..v5
with v6 they introduced more protections, including a blackbox with a cryptography

[legacy]

unfortunately I don't know in details how flexlm works
and I don't know which is the rule of lmcrypt 

each vendor has its own five keys, plus 2 seeds
it's not exactly a piece of cake

[kmike]

ergo, one (not saying me) has only two ways

• generating a valid license, by fishing the 5 keys inside flexlm
• cracking and patching flexlm

Is it possible to add another network card with the right MAC address (changed in the eeprom ) to the system?
As for the software approach, I would not attack the crypto in flexlm, but the point where it reads the MAC address. As IRIX is based on Unix/BSD, this should be a file read.

br,
mike

[richardman]

The only thing I know about PRO/E is that back in the days when we first brought up what would become the Itanic, I meant, Itanium, getting PRO/E to work was one of those "must happen" things. Don't you hate it when companies always say "This new widget X and project Y will be the future of the company! TYPE FASTER!!!" and then lots of things happen anyway, including a few CEOs that burn the company to the ground...

[legacy]

Is it possible to add another network card with the right MAC address (changed in the eeprom ) to the system?

it's not so easy to add another NIC with a customized MAC, those NICs must be SGI-compliant, and ... lmhostid won't care about them about the hostid, since it cares only to the build-in NIC

As for the software approach, I would not attack the crypto in flexlm, but the point where it reads the MAC address. As IRIX is based on Unix/BSD, this should be a file read.

I have to investigate

[kmike]

Is it possible to add another network card with the right MAC address (changed in the eeprom ) to the system?

it's not so easy to add another NIC with a customized MAC, those NICs must be SGI-compliant, and ... lmhostid won't care about them about the hostid, since it cares only to the build-in NIC

As for the software approach, I would not attack the crypto in flexlm, but the point where it reads the MAC address. As IRIX is based on Unix/BSD, this should be a file read.

I have to investigate

Is it possible to install/run a debugger on Your system?
There are a lot of interesting things about v6 here:
hXXp://www.woodmann.com/fravia/siulflex.htm

br,
mike

[legacy]

Is it possible to install/run a debugger on Your system?

yes

There are a lot of interesting things about v6 here:
hXXp://www.woodmann.com/fravia/siulflex.htm

frankly … 60% of bullshits there

[legacy]

FLEXlm libraries are *flexible* and support many different APIs and methods of license management. How the applications use those libraries is largely up to the developer.

I have developed a FLEXlm-like engine toy, it is not flexible since it offers just *one way*: the validator code is stored in supervisor space, protected by MMU, not accessible form the userspace, and it can be invoked only by a kernel system call, there fore the application needs to pass the FEATURE line as input, and it will get a boolean answer,  is_it_valid { True, False }

you put the FEATURE string pointer into a register (including the hash), you invoke the method, it will recompute the hash, it will check if the date is expired and other limitation, then it will answer with the compute hash and with the response

Code: [Select]

is_it_ok = check_limitations();
is_it_valid=(acquired_hash isEqualTo computed_hash);
ans=(is_it_valid logicalAnd is_it_ok);
return ans;


about bullshit on FLEXlm articles: well, my toy is just a toy, there is no business on it, ... you don't think that the it would really creates an hash (computed_hash) in ram and then compares it the one in the license file (acquired_hash) ... but ... yes they would because this is exactly what they do, and not only that they leave it in memory untouched when they are finished with it.

do you think the same scheme can be applied to FLEXlm? so, are you really *to fish* (through a debugger) the computed hash in memory ? FLEXlm < v5 are claimed to do so, seriously?

in my case ... I was too lazy to implement something really strong, so I put my effort on the protected memory method (XINU kernel), and the validator runs inside the super-user space, which traps a memory error if an application in user space tries to access

the MMU doesn't translate address, virtual addresses are equals to physical addresses, but there is a protection, and some area are not accessible, protected

poor design for my 68060 board, I know


FLEXlm <v5 promotes security through obscurity, then they evolved, since these days (after 2006) one would design something based on public key cryptography, the functional equivalent to openssh login using a certificate.

[kmike]

Another idea: program a microcontroller to emulate the serial eerprom of the network card, hook it up to a switch so You can decide wich MAC address to use.
Or use multiple serial eeproms and literally switch between them dependig on what software You need
Not nice, but should work

br,
mike

[legacy]

Another idea: program a microcontroller to emulate the serial eerprom of the network card, hook it up to a switch so You can decide wich MAC address to use

good, but on SGI the MAC address is read at the boostrap in order to provide the lmhostid
if you change the MAC on the fly the lmhost is won't follow the update

you need different licenses to be present

[legacy]

p.s.
on Octane you need to reprogram or to emulate a OneWire chip made by DalSemi/Maxim
on Impact you need to reprogram or to emulate a 96xx EEprom

on O2 it's OneWire chip
on Fuel/Tezro it's more complex

On Indy it's a piece of cake: you can reprogram the MAC from the firmware, it's written in NVRAM

[Grunchy]

So I was looking into this vintage Pro/Engineer project for myself and there are plenty of resources now available on the topic.

First of all, it wasn't until Pro/Engineer R20 that they started to use FlexLM. Check out their information page from 1997:
https://support.ptc.com/olm/flexlm/

So it would be nice to get an ISO version of R20 since that may be straightforward to generate a FlexLM licence file for it, however archive.org only seems to have R16 and R17 so far.

Pro/Engineer R16 for Unix:
https://archive.org/details/pro-unix-16

Pro/Engineer R17 for Unix:
https://archive.org/details/pro-unix-17

Meanwhile, there's a super-convenient method to set up a vintage Sun Solaris virtual machine using "Qemu" software, I already did this and it's terrific!
https://learn.adafruit.com/build-your-own-sparc-with-qemu-and-solaris

Plus a terrific manual to play with the pro/engineer software if and when I can ever get it working:
https://archive.org/details/insideproenginee0000utzj

So right now I'm at a cross-roads, I can either try to find somebody who created a "keygen" for R16/R17 and go ahead and get one of those working,
or hopefully somebody got a CD copy of R20 and wouldn't mind uploading that to archive.org.

[HighVoltage]

I might still have the ISO of all these old Pro/Engineer versions. Need to take a look on old hard drives.

 

[Bicurico]

You can run Irix on a PC using MAME.

There are ready to use setups you can find on the internet with IRIX 5.3 or IRIX 6.2, emulating a SGI INDY or a SGI Indigo 2.

This emulation is rather slow, as MAME strives for exact emulation.

However, on my new workstation running an Intel Core i9-13900KF, the emulation is quite usable!