Hi All... Ok - took a break from my other shiny to finally play with my PBL5.1 E3 yesterday.. So - the current state of play is this :

Sent Packet: 0x02 0x00 0x02 0x00 0x02 0x00 0x04 ( Version Query )

Rcvd Packet 0x02 0x00 0x0e 0x00 (STX header + length of packet ) 0x82 0x00 0x72 0x00 ( Response data ) 0x05 0x01 0x22 0x05 0x10 0x40 0xfe 0x7b 0x6e 0xb4 0x1a

Viable commands without SHA-256 hash match are : cmd_2 cmd_9 cmd_15 cmd_16

cmd_16 is used to upload a ( as far as I can tell ) 392 byte authentication key. the key is hashed via sha-256 and, for any of the other commands not mentioned above, compared to the hash on the box. If the generated hash matches the stored one, the command executes, if not, it doesn't.

For the interested, I believe the hash is : char SHAHASH[0x20]={ 0xAD,0xA2,0x8D,0x8B,0x4A,0xE7,0x12,0x15, 0x05,0x30,0x98,0x91,0xB1,0x01,0x09,0x24, 0x2B,0x32,0xDE,0xCE,0x67,0x88,0x94,0x81, 0x18,0xA5,0x0B,0x9C,0xB5,0xBD,0xDC,0x24 };

aka:

0x8B8DA2AD 0x1512E74A 0x91983005 0x240901B1 0xCEDE322B 0x81948867 0x9C0BA518 0x24DCBDB5

I'm currently going over the code to see if there are any sneaky bypasses, but it doesn't look good so far. I'll let y'all know if anything progresses. Happy sunday. Jake

One thought does strike, however.. 392 bytes is kind of a strange length for a plaintext source for the hash. Makes one wonder if its a (X)PGP ascii signature.

As always, reality may bear no resemblance to the statements above.