AP9210: Difference between revisions
(Created page with "I just won two of these in eBay auctions 151145957599 and 151145957933. (Ridiculously cheap, too.) They've arrived, but I wasn't sent the credentials to log in and configure...") |
|||
| (3 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
I just won two of these in eBay auctions 151145957599 and 151145957933. (Ridiculously cheap, too.) |
I just won two of these in eBay auctions [http://www.ebay.com/itm/151145957599 151145957599] and [http://www.ebay.com/itm/151145957933 151145957933]. (Ridiculously cheap, too.) |
||
They've arrived, but I wasn't sent the credentials to log in and configure them. Not a problem. Daren Matthews has a [http://mccltd.net/blog/?p=36 blog entry] detailing a backdoor password that allows one access to some menus that can be used to dump the devices' configuration EEPROM data. This conveniently includes a user name and plain text password. (Though they are in a funny byte swapped format.) |
They've arrived, but I wasn't sent the credentials to log in and configure them. Not a problem. Daren Matthews has a [http://mccltd.net/blog/?p=36 blog entry] detailing a backdoor password that allows one access to some menus that can be used to dump the devices' configuration EEPROM data. This conveniently includes a user name and plain text password. (Though they are in a funny byte swapped format.) |
||
| Line 31: | Line 31: | ||
Anyway, with this, the username and password set on the device was fairly easy to pick out, further down in the EEPROM contents... |
Anyway, with this, the username and password set on the device was fairly easy to pick out, further down in the EEPROM contents... |
||
Oh, do heed the warning about the security issues on these things. Not only is there a back door password that would allow an attacker to change the power settings of your equipment, but it can also be used to then change the admin credentials on it. |
|||
== More on the funny byte swapping == |
|||
Further reflection has me thinking that the EEPROM dump on this firmware version is just a bit non-sensical. Note that the offset number in each row increases by 4 (0000, 0004, 0008, 000C, 0010) but it prints 8 bytes per row. From this, I posit that the EEPROM dump is reading out 16-bit values in the embedded processor's native byte order. APC must have changed this behavior in more recent firmware releases (The Daren Matthews blog page shows the offset values increasing by 8 per row.) |
|||
Latest revision as of 17:56, 31 October 2013
I just won two of these in eBay auctions 151145957599 and 151145957933. (Ridiculously cheap, too.)
They've arrived, but I wasn't sent the credentials to log in and configure them. Not a problem. Daren Matthews has a blog entry detailing a backdoor password that allows one access to some menus that can be used to dump the devices' configuration EEPROM data. This conveniently includes a user name and plain text password. (Though they are in a funny byte swapped format.)
So, attach a null modem cable to the AP9210's serial port (or telnet to it if you can determine its IP (a task made simple with arpwatch)). Provide any username you like and use TENmanUFactOryPOWER for the password. A menu will be printed with a "Dump EEPROM" (or similar) option. Dump the EEPROM contents.
Did I mention the strings in the EEPROMs are byteswapped? Here's an example of what was in mine:
... 000C 89 9C 30 A4 2F 33 33 32 ..0./332 0010 31 2F 39 39 00 39 50 41 1/99.9PA 0014 32 39 30 31 00 00 27 DC 2901..'. 0018 57 37 39 41 31 39 30 33 W79A1903 001C 31 30 37 32 00 34 C0 00 1072.4.. ...
These two devices are running firmware version 1.1.1 and 1.1.2. Based on the Daren Matthews blog, I'm guessing other versions of the firmware don't do that.
It almost looks like there could be a "AP9210" in there if you're dyslexic, right? Here's my fix for reading it:
cat AP9210-eeprom-contents | sed -e s'@\(.\)\(.\)\(.\)\(.\)\(.\)\(.\)\(.\)\(.\)$@\2\1\4\3\6\5\8\7@'
Which turned the 5 lines above into:
000C 89 9C 30 A4 2F 33 33 32 ...03/23 0010 31 2F 39 39 00 39 50 41 /1999.AP 0014 32 39 30 31 00 00 27 DC 9210...' 0018 57 37 39 41 31 39 30 33 7WA99130 001C 31 30 37 32 00 34 C0 00 01274...
Yes, I was lazy and didn't bother to swap the hex values.
Anyway, with this, the username and password set on the device was fairly easy to pick out, further down in the EEPROM contents...
Oh, do heed the warning about the security issues on these things. Not only is there a back door password that would allow an attacker to change the power settings of your equipment, but it can also be used to then change the admin credentials on it.
More on the funny byte swapping
Further reflection has me thinking that the EEPROM dump on this firmware version is just a bit non-sensical. Note that the offset number in each row increases by 4 (0000, 0004, 0008, 000C, 0010) but it prints 8 bytes per row. From this, I posit that the EEPROM dump is reading out 16-bit values in the embedded processor's native byte order. APC must have changed this behavior in more recent firmware releases (The Daren Matthews blog page shows the offset values increasing by 8 per row.)