Unlocking NetWare 2.0a | OS/2 Museum

2024-02-23 05:19:48

A couple of months in the past, the OS/2 Museum obtained a seemingly full and error-free set of floppies with Superior NetWare 286 2.0a SFT II. And only in the near past, a disk set of Superior Netware 86 2.0a turned up, although sadly incomplete.

Each releases are from 1986 and share one somewhat disagreeable function: The NetWare OS gained’t run with out a {hardware} key card:

All or most aged NetWare variations offered earlier than circa 1988 wanted a customized {hardware} key which needed to match the serial quantity that was burned into the NetWare disks. I’m unsure what the precise historical past was, however it’s identified that the NetWare serial quantity might be offered by Novell’s DCB, or Disk Coprocessor Board:

I don’t fairly perceive what was the purpose of promoting a customized disk controller and requiring a serial quantity match. However NetWare 2.0a might additionally run on off the shelf {hardware} utilizing normal AT disk controllers and drives. For these machines, Novell offered a easy key card:

A NetWare key card. There’s not a lot to it!

I’m not solely certain if Novell was extra apprehensive about piracy by finish customers or by unscrupulous resellers. In any case, in 1986, through the period of Superior NetWare 2.0a, a {hardware} key was required by NetWare.

For sure, if you’re extremely fortunate and discover a full NetWare 2.0a disk set, and the disks are literally readable, the probabilities of additionally having the matching {hardware} key are near nil. And even for those who did have one, that doesn’t in any respect assist when attempting to run NetWare 2.0a in an emulator. So, what will we do?

There are two apparent approaches. Both emulating the important thing card {hardware}, or patching the software program to not want a key card.

Emulating a NetWare Key Card

First let’s study the general logic. NetWare 2.0a makes use of a 6-byte serial quantity which is totally different on each disk. It’s written into an object file NET$OS.OBJ, from the place it propagates into the ultimate NetWare executable, NET$OS.EXE.

The primary 4 bytes are the serial quantity correct, saved in BCD format (eight digits). The primary two digits are typically zeros and could also be not noted on serial quantity stickers and such. The final two bytes are an “Utility Quantity” which presumably controls NetWare capabilities such because the variety of customers supported.

When NetWare begins up, it reads six bytes of knowledge from the important thing card. These six bytes must match the serial and software quantity saved in NET$OS.OBJ.

The important thing card {hardware} is sort of easy. It responds to I/O port reads in a hard and fast vary from 23Ah to 23Fh. For causes that could be misplaced to historical past, the serial quantity is saved in an odd format–presumably obfuscated, presumably considerably scrambled for technical causes.

Ports 23Ch to 23Fh return the serial quantity correct, whereas ports 23Ah and 23Bh present the appliance quantity. Trying on the key card photograph, it’s attainable that Novell had prototype boards the place a part of the serial quantity and/or software quantity might be set utilizing jumpers.

That is how the serial quantity nibbles are returned by the important thing card. Notice that each one values should be bit-flipped after they’re learn from the cardboard:

port 23Ch: [ S2L : S1L ]
port 23Dh: [ S0H : S3L ]
port 23Eh: [ S0L : S3H ]
port 23Fh: [ S1H : S2H ]

port 23Ah: [ S5H : S4H ]
port 23Bh: [ S5L : S4L ]

S0 to S5: Six bytes of serial quantity
H = excessive nibble, L = low nibble
All values bitwise complemented

There may be actually not a lot to it, and emulating such {hardware} is trivial. However it’s nonetheless nearly as annoying as the actual key card: You should even have the emulation, and it will probably unlock solely a single copy of NetWare. That’s fairly annoying when experimenting, equivalent to attempting to determine whether or not NetWare 86 2.0a 86 and NetWare 286 2.0a SFT II perceive the identical on-disk format (they don’t).

The one actual benefit an emulated key card has is that it will probably run unmodified NetWare.

Fixing the Software program

The opposite strategy is to neglect about the important thing card {hardware} solely and patching out the {hardware} key checks as an alternative.

I made a decision to go along with a considerably difficult however secure strategy. Fairly than patching out the serial quantity checks, I changed the routine which reads the serial quantity from the important thing card. The alternative copies the serial quantity to the identical location the place the unique routine positioned it. That approach, if NetWare in any approach relied on the contents of the bytes holding the {hardware} serial quantity, it will nonetheless work high quality (although I believe it doesn’t care).

Because it seems, it’s not laborious to search out the serial quantity burned into NET$OS.OBJ / NET$OS.EXE, as a result of it’s prefixed by a handy ‘S/N=’ string. The present serial quantity is learn and copied to the tip of the alternative routine, which strikes it precisely the place the routine studying the important thing card is anticipated to put it. Thankfully the alternative code is way smaller than the unique, as a result of it doesn’t must trouble bit-flipping and swapping all of the nibbles round.

The patching logic is applied in a Python script. This script requires Python 3. The whole lot is in there, together with feedback.

The patcher might be run in opposition to the NET$OS.EXE file. However not solely that. There’s a excessive chance that it will probably patch NET$OS.OBJ as properly—so long as the unique serial quantity and key card studying routines are every saved in a single LEDATA file, which is someplace between extremely seemingly and assured.

Clearly if NET$OS.OBJ is patched, then a newly generated NET$OS.EXE gained’t want any additional therapy. The patching logic even makes certain that the checksum of the modified LEDATA file nonetheless matches, though the Novell linker doesn’t seem like in any respect involved if it doesn’t.

Fairly conveniently, the patcher can be used instantly on uncooked floppy pictures containing NET$OS.OBJ or NET$OS.EXE. There’s a slight likelihood that the patching would possibly fail if the information had been fragmented (i.e. if the essential byte sequences had been saved in non-consecutive sectors). That is extraordinarily unlikely to occur with the unique NetWare disks.

Making use of the patch to the GENOS-3 disk of NetWare 286 2.0a SFT II, which holds the generated NET$OS.EXE, we find yourself with the next:

NetWare 286 2.0a SFT II, who wants a key card?

From 1986 to 2024, NetWare 2.0a lives!

The patching script has clearly not obtained plenty of testing as a result of there simply aren’t that many copies of NetWare 2.0a obtainable.

Reinventing the Wheel

For sure, this has been achieved earlier than. And never solely has it been achieved—within the mid-Nineteen Eighties, an organization known as NetWork Enterprise Programs out of Houston, Texas was proudly selling a instrument known as KeyCard Eliminator for $99. That was not low-cost, but it surely was a lot cheaper than NetWare licenses, which value greater than a thousand {dollars}.

However discovering these previous cracking instruments isn’t any simpler than discovering NetWare 2.0a… so I wrote my very own. Drawback solved.

Source Link