How to recover a lost password on a Baystack 301

From: Charles Sprickman 
Subject: Re: BayStack 301 - Lost password
Newsgroups: comp.dcom.sys.bay-networks
Message-ID: <36126ee4.0@news.inch.com>
Date: 30 Sep 98 17:48:20 GMT
Organization: The Internet Channel

Thanks to many people's help, I have recovered the password on my 301
switch without sending it back to Bay!!

A summary of the technique:

-connect to the console, enter 'secret' debug mode
-dump certain memory locations while logging with your term prog.
-manipulate the text a bit to remove extraneous junk.
-convert file to "binary" format
-run strings(1) or equivalent on it
-read your snmp strings and password

Thanks to "Erick" for digging up the debug info, and "Mr. Morrison"
for showing me how cool perl is.  If either of these folks would like
their full names/email posted, let me know.

Now for the step-by-step:

- get a good term program that can log everything
- connect to the switch (9600,8,N,1)
- when you have a prompt, type 'eng'
- at the password prompt, type 'debug'
- you should now have an 'eng>' prompt.  
- type 'what'
- you should now have a 'what?' prompt.  (cute, huh?)

You are now in super secret debug mode.  For those Bay folk that claim
that even physical access will not allow overtaking the switch (and 
I'm discounting the fact that you can yank the plug) at this point you
have access to read and write any memory address.  If one knew exactly
where to poke, you could put your own password in and log in...

- Now you start using the 'd' command (dump) to capture the info.  If
  you poke or push the wrong address space you might reload the switch,
  so be careful.  The doc below claims the backspace is a bad key to use.
- type 'd 0bfc60000'
- you'll see the numbers on the left that correspond with the 0bfc60000
  count up.  Each press of the 'd' key prints more.  Keep pressing 'd'
  until you reach 0bfc607ff.  This area seems to contain the snmp strings.
- type 'd 0bfc70000' and press 'd' like above until you reach 
  0bfc707ff.  This looks to be where the password is stored.
- have your term program stop saving and go take the file somewhere
  that has perl and unix tools available.

You are now have the password and just have to convert it to a readable
format.  It should look something like this:

BFC60000: 000090C3 DEAD1BAD 00030002 00000888
BFC60010: 002C0008 0055AA55 03010101 00010000
BFC60020: 18001800 00000000 00000000 00421800
BFC60030: 4520AA51 00020201 0118182E 55AA55AA
BFC60040: AA55AA55 052C0000 00AA55AA 53706565
BFC60050: 64343033 32613400 00000000 00000000
BFC60060: 00000000 00000000 00000000 00000000
BFC60070: 00000000 00000000 00000000 00000000
 
- open the file in your favorite editor and remove all of the "junk",
  all you want are the results of the dump.  Try to get rid of the 'd's'
  you typed.
- do something like "cat file | awk '{print $2, $3, $4, $5}' > outfile"
  to remove the first column.  Then you'll have lines like:
     000090C3 DEAD1BAD 00030002 00000888
     002C0008 0055AA55 03010101 00010000
- now you're really close.  Here's a little perl program someone
  gave me that will turn this into a "binary" file:

  #!/usr/local/bin/perl
  # this should convert the file.  try running strings(1) on it.

  unless (-e $ARGV[0] and defined $ARGV[1]) {
	  die 'usage: ./script inputfile outputfile';
	  }

	  open INFILE, "<$ARGV[0]";
	  open OUTFILE, ">$ARGV[1]";

	  while ($line = ) {
		  foreach (split /\s+/, $line) {
				  print OUTFILE pack("H*", $_);
					  }
					  }

- you should now have your password and snmp strings.  Run strings(1)
  on the output of the above program and you'll see everything you 
  need in plaintext.

Damn, that's alot of work.  Still quicker than RMA-ing the box, and
being switchless isn't a good solution.  This way you can keep your 
network up instead of waiting for the RMA department to get you a
"fixed" replacement.

THINGS TO NOTE:

I make no claims to the safety or accuracy of any of this, nor do
any of the people from whom I received any of this info.

This was tested on version 1.0.0 of the software.  The location of
all this info may have very well changed in newer revs.  If worst
comes to worst, you can always dump everything ;)  Or maybe some kind
Bay engineer might post memory locations for the newer software.

Working together is fun.

Here's some of the message from Erick, in case you want to see where
I got my info from:

[begin quoted material]
>From xxx@hotmail.com Wed Sep 30 13:04:03 1998
Date: Wed, 23 Sep 1998 01:50:30 PDT
From: Erick 
To: spork@inch.com
Subject: Re: BayStack 301 - Lost password

Charles,

Below is what I have and is partial. I came across this on the net... I 
do not have access to a 301 at the moment (don't think I have even 
touched one yet) so have not verified or tried this. 

-------------- pasted info

You need to capture the following output with your terminal program to a 
file. 

At the prompt type 'eng'. It will prompt for a password. Type 'debug' 
for the password. Type 'what' at the eng prompt 

You will now have a what? prompt. 
Be very careful here and don't hit the backspace key. 
If a mistake is made, type 'x'. 

At the what? prompt, type 'd 0bfc60000' 
Keep dumping ('d') until bfc607FF. 
Next, type 'd 0bfc70000' and keep dumping until bfc707FF. 

At this point, you need to send the captured info to Bay to turn into a 
p/w. 

------- end of partial procedure

Hope that is useful to you. Perhaps the dump contains the password in 
the clear... you can also try holding the reset button down for 20 
seconds or so ( that trick works on some hubs ). 

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
[end quoted material]

And here's the perl script again:

[begin quoted material]

From: dmorrisn 
To: spork 
Subject: Re: hex<->ascii?

#!/usr/local/bin/perl
# this should convert the file.  try running strings(1) on it.

unless (-e $ARGV[0] and defined $ARGV[1]) {
        die 'usage: ./script inputfile outputfile';
	}

	open INFILE, "<$ARGV[0]";
	open OUTFILE, ">$ARGV[1]";

	while ($line = ) {
		foreach (split /\s+/, $line) {
				print OUTFILE pack("H*", $_);
					}
					}
[end quoted material]

Thanks for your time,

Charles

-- end of forwarded message --

World | Inch