Re: Breaking in from the monitor at the console

[jkb () mrc-lmb cam ac uk (Bonfield James)]

der Mouse writes:

> For one thing, that assumes the machine will boot far enough for you to
> log in (as root, since presumably nobody else can read /dev/eeprom).
> If it's set fully secure (eeprom secure=full), this is not normally the
> case.  As for whether it's the first word, that is not true on the one
> machine I just tried; it may depend on the machine (this was tried on a
> SPARCstation 1+).

A far more useful thing is to use 'od -a' on the correct offset. The fully
comprehensive guide to the eeprom can be gleaned from examining
/usr/include/mon/{eeprom.h,password.h}. According to this the password
structure is at 0x490, and the password itself at 0x494-0x49b inclusive.

Also, as I mentioned before, certain actions appear to ignore the password.
The most notable of this is the ability to sometimes state which device and
file to boot from. This prompt seems to appear with diskless machines and a
boot server that is down (or maybe just disconnections from the network at the
correct time).

And, once again, I have seen machines have their prom passwords wiped by
nothing more complex than repeated 'L1-A' 'c' commands during reboot. Although
I haven't tested this myself for a couple of years, so more recent PROMs maybe
fixed.

> When I did "strings - /dev/eeprom", I got 8 strings:
>
>       45670123
>       31204567
>       Ec#Y;A1y
>       sd()vmunix
>       le()vmunix

This reminds me of someone who had a PROM password along the lines of the
'le()vmunix' style of string. Rather cunningly picked to deterr the confuse
strings attack :)

        James
--
James Bonfield (jkb () mrc-lmb cam ac uk)   Tel: 0223 402499   Fax: 0223 412282
Medical Research Council - Laboratory of Molecular Biology,
Hills Road, Cambridge, CB2 2QH, England.