Monday, April 7, 2008

Hardware password sniffing and hacking

I recently came across a really cool piece of gear... a rack mounted SNMP network interface unit. This device is essentially a interface that allows you to monitor and control external devices of your choice via SNMP.

There is one issue... I don't have a password to console into it to configure it. Finding a default login password or a reset procedure for this device has been an impossible task. Marconi (the maker of this device) has since been dissolved into several companies making any documentation out there extremely scarce. The only things I have found are links to a manual that point to websites no longer in existence, and very vague product feature descriptions. (if anyone out there does happen to have a manual for this device, please let me know!)

I really want to get this device working, it is extremely flexible and there really isn't anything else on the market that can inexpensively and easily do the same thing.

So here is my idea. Since breaking in through the console port doesn't look feasible, and there is no hard manual reset to restore it's factory defaults, i'm not left with very many options. Opening it up, I discovered that the device contains a 16bit flash eeprom... all configuration information is stored on this device as it's the only writable memory on it. At some point while the embedded arm processor is loading it's basic embedded os/program from prom, it has to load this saved configuration from the eeprom. So I will simply sniff the data coming off of it's data bus with a logic analyzer, convert the two bytes of info into ascii and hope that everything is in clear ascii text. I can't imagine that the data on this device would be encrypted between the arm processor and flash... so this data should be easily retrievable.

Step 1: I obtained the data sheet for the AMD 16bit eeprom and wired the 16 pins off of it's data bus with interfacing leads:

The remaining leads were soldered to points on the bottom of the board.

Step 2: Wire the 16bit data bus to my logic analyzer.

Step 3: Power on the device and capture the data!

The issue I am having now is understanding the data. I have no idea how the arm processor is writing data to memory and what type of endianness it is using. ( it doesn't help that this arm processor manufacturer is no longer in business either :( ). Since arm processors can be configured as big-endian or little-endian I will have to decode the data both ways until I see some legible data. My logic analyzer can take the data seen above and convert it into ascii text, displayable on the screen. It's a slow process, but i'm making progress.

I haven't seen the password yet, but I'm still confident it's in there. There is just a lot of data to sniff through... and a large mess on my bench.