RSS
 
 

Archive for the ‘Hacking’ Category

Xyratex -Autodesk Secrets from the void

26 Jan

I’ve been playing with the Xyratex kit for the past few years, mainly when there is a spare hour or so…
During this time we found any number of really interesting “things” one of which is listed below…

After entering the monitor during boot-up via:

“Press and hold to invoke monitor”

you are presented with a screen showing

“Monitor>”

Entering “?” gives you a list of commands:

and from this list of commands you can do ‘really cool’ things like “upload firmware” or take a look at the temperature…

Lets be honest… it is absolute garbage.. not worth the time of day other than for very basic maintenance….

However
If you enter the command “set debug

now do the command “?”

And suddenly the whole world opens up for you….

Commands you should NEVER EVER do as a newbie…..
“ef”… You will erase the controller firmware…(bye…..)
“sw”… You will completely destroy your controller firmware if not pre-prepared for this action
“go”… If you randomly enter addresses you can jump into the middle of any number of “dangerous” routines….
“fi”… You can destroy critical ram tables as well as writing to the device I/O
“i2w1”. This can destroy critical settings on the i2c buss 1
“i2w2”. This can destroy critical settings on the i2c buss 2
“fwp1”. This can destroy critical settings on the PCI buss 1
“fwp2”. This can destroy critical settings on the PCI buss 2

Those and any command that does a “write” to any address the user can enter…..

Oh… and if you break it.. there is a good chance that a power cycle WILL NOT CORRECT THE ISSUE………..

Anyone who thinks this is bullshit can go try the “SW” command………
What happens.. is a bug….. the internal flash chips are erased.. then it attempts to copy an alternative firmware that is stored in ram…. but it don’t exist… becasue you did not pre-store it.. oh and you cannot load one becasue you don’t know the details of the load file header and validation….. (plus ur running an AD or maybe Xyratex boot monitor)
If it is an AD monitor you are completely fucked.. becasue it will only load “AD” firmware…
and to date I have never seen an “AD” load file…

so you are left with erased flash chips and no real way to recover……… unless you have firmware files

You would have thought they would validate the “alternative ” firmware BEFORE the chip erase… but nope….. Sorry..
There is a firm warning in the “ver” command… if you can spot it.

What is SHOULD look like before doing anything stupid.

As can be seen we have a safety “default” Alternative Operational firmware saved.

same with the “go” command… you can jump right into one of the many “erase chip” functions by accident…

 

Xyratex Autodesk Kit. 54XX

29 Nov

Seems there is STILL some interest in this kit & getting it working with non autodesk drives.
There is a multitude of “badge engineered” Xyratex products not just Autodesk , but it is all locked down in the software.
Other than that the underlying hardware is identical.

I’ve been asked “ Why don’t you post a firmware file to allow conversion”

An Anecdote:
Many moons ago I used to work at a very large company..
One day…
I was speaking to the owner and he asked me a question:

A: “Do you have any legal problems… personal… company?”
B: “No”
A: “Pity.. I employ a team of lawyers and they have nothing to do at the moment.. if anything comes to mind give me a call”
B: “Ok will do”
So there you go… If there’s potential for a lightning storm .. you don’t stand under a tree.

Where do I go from here
The first action is to get the SERIAL console connected on the back of the device, it is the USB type connection.
This is SERIAL to SERIAL, just someone stupidly decided it was a good idea to use a USB type connection….
you know….. so that people can shove the WRONG cable & release the magic smoke trapped inside.

Once you get your serial connection, the first thing to do it get the equipment version strings & firmware data.
If you don’t do this.. the chance of getting help is limited.

Generally (what I’ve seen so far)
1. ADnn firmware (this is Autodesk, and they have their own firmware which is based around Xyratex FW with extras.

Those extras include:
Hidden factory options
Special checksums for firmware, ensures only Autodesk firmware can be loaded.
Locked down Disk drives
Extra debugging features for their engineers… (thanks guys…)
Code to ensure you cannot get off the AD firmware track
Different software feature unlock keytable… for the controller FW & “Stone Direct”
The latest Autodesk monitor FW Is AD24

  • ‘nnnn’ firmware, this is Xyratex firmware, it has it’s own drive markers, but later versions also allow non branded drives to be used, note however there is a performance IMPACT to using non-banded drives.
    This is becasue the buffer and caching paramiters in the disk drive firmware have been optimized for the yxratex kit
  • The latest Xyratex monitor FW is 0025 (2.5.6)

    Getting all worked up
    There are some points to note before getting all worked up.

    1.On this older kit, it is HARDWARE FIXED at using drives that are 2TB or LESS
    This is NOT something you can hack or bypass and is due to the embedded silicon.
    LSI62042E1
    LSISASX12A which gets you 3GB/s tops

    (nope.. you cannot drop in new chips.. later chips are not pin compatible)

    2.If you use a drive >2TB the total capacity of the drive is NOT 2TB it is a logical ‘AND’ of the addressable space bits, so if you install a 3TB drive you will only get ~1TB.
    This limits your disk drive options unless you are prepared to use the disk drives embedded command codes to limit the drives reported address space( “logical drive capacity” ), before putting them into the storage system.

    1. There is zero support for this old kit & zero updates.
    2. If you use it in a production environment… then you are very very stupid and deserve EVERYTHING you get…. (see point above)
    3. Ensure there is NOTHING on the drives before you start working, each manufacturers product has different software options and the SOFTWARE KEYS ARE DIFFERENT!!!!!, if you do a conversion your licence keys are no longer valid and the options that worked before will stop working. So if you have advanced snapshot enabled, after a conversion you will loose that function & plus any data you had associated with it.

    Hahaha no way people write code this way….
    Both sets of Firmware (Xyratex/Autodesk) are full of bugs, this may be due to the fact that the Software is clearly Xyratex with patches on top.
    Layer upon layer upon layer of patches & fixes…. and more FLAGS than an American Ticker-tape parade…….

    Lot’s and lots of hard coded shit….
    Yep… why code things like dates ,firmware revisions & code check-sums in a separate Data section… just inline it all into the code…

    Since it was easier to flash the chips I never got round to decoding the checksum routine for the roms….
    so no I don’t have a direct up-loadable firmware file to take an AutoDesk->Xyratex.. I could make one. but it’s all about motivation.

    There is a way to modify a Xyratex FW file so that it can be loaded over an AD firmware, bu if anything goes wrong you end up with dead kit and need to flash the onboard chips, it is non software recoverable…….

    How to get an upgrade?
    1. Own a chip programmer
    2. get the info from the monitor
    3. get a picture INSIDE the controller (yep.. there are different versions)
    4. Read out the Binary image on the chip
    5. zip it up
    6. send it to me to take a look

     

    Xyratex Autodesk branded RS-1200 5412E hard drives (Using most drives)

    07 Feb

    Well we picked up a “few” Xyratex RS-1220-F4-5412E Autodesk systems a few years ago, you know the ones with the AD22 firmware that is locked.
    Total cost was $40usd for 4 including a shed load of spare controllers & drive sleds
    The controllers are generally marked:
    RS-LRC-F4-5412E-1024-ADSK 08 Mar-31 (happy decade!!)
    RS-LRC-F4-5402E-1024-ADSK 06 21 (almost a teenager)

    Unfortunately no drives were included.

    Had a quick look on the internet to see if we could find anything on “non Autodesk” drives, mostly just people saying that the devices were locked to drives with a special FW AD02 or AD03
    Others were saying there was a magic firmware AD20 or something…….

    Breakthrough
    I had a few hours to throw at it the other day, since I was waiting for some new PCB’s to assist in a hack of the new Seagate F3 drives with locked down firmware.
    We burnt some drives with a drive sig of XR36 & XR38 inserted them into the array but nothing was showing up , other than the drives were “unsupported”

    I cannae change the laws of physics Captain
    But it’s in here some place

    Read the rest of this entry »

     

    HP Servers with Non HP Disk Drives, Where is Temperature Sensor #29 on DL380?

    05 Nov

    I have a home built system consisting of several HP Proliant DL380 Gen7 & Gen8 servers.
    Now normally when sitting idle these are solid servers with fairly low power consumption and in many cases Whisper quiet when under no load.

    That was until a recent upgrade of a failed disk drive.
    Actually the server went from one seagate drive to almost exactly the SAME model of Seagate drive with a slight difference in the part number.

    From a ST2000LM007 to ST2000LM015, both are: 2.5″ SATA 6Gb/s 5400RPM, 128Mb ram.
    This simple change has left the internal fans running at 90% of full speed and continual warnings of the drives over heating.

    Temperature Sensor #29
    It is believed that this is a “pseudo sensor”, take a bunch of system temperatures pass them though a formula or table matrix and arrive at some sort of “system Health” number.
    Why think this?, because it is possible to “fool” this sensor in reporting different temperatures that are not related to anything temperature like in particular

    There has also been a very interesting support note released by HP recently covering most of the HP production and EOL systems.
    Notice/ ProLiant Gen7 Gen8 and Gen9 Servers – Fan Speed May Be Higher Than Expected If No Hard Drive Is Present In the System

    I think what we are looking at is not actually a system problem ,but rather a iLO X problem, or more likely a design “feature” to lock down the hardware.
    Why would anyone run a server without disk drives?, simple…. cloud implementation… throw in a few optical connectors to an optical switch and a fiber based NAS
    and you have very cheap computing systems that can be easily configured from a central location ,no local disk drives needed.

    Problem is, that this increase in fan speed “by design” as HP likes to put it , is potentially breaking the law of some countries related to Environmental impact of electronic equipment.
    Those extra ramped up fans are adding 90-100W to the power consumption , which equates to over 2KWh a day. which adds up to several hundred KWh per year of power that is being “deliberately wasted” for no reason what so ever(parts NOT fitted in the server, as an option to SAVE power resources.).

     

    Turning USB peripherals BadUSB (A confession……)

    08 Aug

    There is currently a ‘stink’ about this article:

    Turning USB peripherals into BadUSB

    These guys appear to have put a quite an amount of research into this subject and attack vector.
    However I’m disappointed about how little research and citations of prior work they seem to have included, even if it is not based around USB devices it is still relevant.
    Then there is the ‘case’ of the 3rd party publicly available code to reprogram the SAME USB device released BEFORE their presentation.

    For Example:
    On Hacking MicroSD Cards

    Read the rest of this entry »

     

    USB Storage devices – embedded Trojan analysis/implementation (USB Nand-Flash)

    04 Aug

    How we can build powerful analysis tools from Ebay crap….

    There is lots of cool scrap available on Ebay, specifically items from video processing companies/telecom companies that sold their scrap to clowns who were supposed to ‘destroy it’ ( you know the ones, who advertise ‘secure destruction’ of equipment).
    All you need is a JTAG pod, frequency generator (NE555), multi-tester and a little bit of time.

    Background
    Back In Jan I threw together a library for reading Nand-flash chips on the Arduino, part of the reason for this was to try to throw together a simple and highly cost-effective way to read Nand-flash chips.

    Unfortunately it was a failure due to the read speeds…. BUT….
    Read the rest of this entry »

     

    Bit coin miner from Ebay scrap The Solar debateVIII)

    13 Jul

    It was not until the start of this year (2013) that there has been such a long run of exponential increases in the bitcoin difficulty.
    Current difficulty is 26162876 with a PPS share rate of 0.00000092 BTC (actually it is lower once you consider fees etc)

    After mining for a few years using various systems- CPU, GPU, FPGA.. The time has now come to reconsider the situation….
    B.F.L have continually failed to deliver what they promised they were experts in…. Power consumption does not match,shipping does not match, quality does not match.
    Back in January, they were saying delivery would be in Two months, they are still claiming that all back orders would be cleared before end of September 2013, personally I find this unlikely since they STILL have not shipped any of my orders, and for them to clear the backlog, they should at least have my orders in ‘production'(I’m in the top quarter of their estimated order book).
    Plus the number of people who have had new ASIC kit only for it to fail abysmally is rapidly increasing..
    I have decided to give them until the middle of August and then I’m pulling the plug on the orders.

    Read the rest of this entry »