SFP modules GigaLight

[zburget]

Greetings,
I have a lot of modules with the GigaLight brand. I need to modify the code in them, but they are protected by a write password.
I try to search password by bruteforce password finder. I set the password location at A2h, 7Bh, access type to Manufacturer, range 80 00 00 00 - FF FF FF FF (in accordance with the MSA standard) and I left checked "Apply range to single bytes" (which is the default setting).
Speed of password searching is approx 1660/s - ie password search took approx 15 days. Unfortunately, the password wasn't found.

O.K. - I can try search password with unchecked "Apply range to singele bytes" (15 more days), or I can try search password in range 00 00 00 00 - 7F FF FF FF with and without checking "Apply range to singele bytes" (30 more days). That's quite a lot of time. Therefore, I would like to ask if any of you know the password I search. Or at least some more accurate range in which it is appropriate to look for.
Alternatively - is it possible that the password is located at some address other than the A2h, 7Bh?
Or where else can there be the snag?

Thanks

[ArT]

It can be not MSA compilant and password can be located in range 00 00 00 00 - 7F FF FF FF or it can be located in other area or it can be protected on other way. It's not often case, but sometimes this is the case. First of all I recommend to check range all ascii chars (you have the highest probability of success here), then please search in range 00 00 00 00 - 7F FF FF FF .

[zburget]

Thanks for the ideas, I'm already working on it.

However - I know for sure that SFP is protected by password. let's say I could theoretically know the password, but it doesn't work at A2h, 7Ch. Is it possible to find out at which address to be password entered?

[ArT]

It depends. If password is stored within the same page - yes, but if in other page, you need to first set this page. Interesting case, software does not support such feature at the moment, but I noted it to todo list

[zburget]

Based of this document - GigaLight SFP/XFP/QSFP Programmer manual, page 9 it could be guessed at which addresses the password could be.

[ArT]

Do you mean page 0x10? We can try to implement such feature in brute force tool. Could you send us 1 module for testing? We will send it back when beta software will be ready. If yes, please contact with me on PM,

[zburget]

I mean address 7Bh in A0h block (but I unsuccessfully try this address)
or address FCh in A2h block at unknown page.

I don't think that they would wrote the exact position of the password in the public manual.

[TRX]

Greetings,
I have a lot of modules with the GigaLight brand. I need to modify the code in them, but they are protected by a write password.
I try to search password by bruteforce password finder. I set the password location at A2h, 7Bh, access type to Manufacturer, range 80 00 00 00 - FF FF FF FF (in accordance with the MSA standard) and I left checked "Apply range to single bytes" (which is the default setting).
Speed of password searching is approx 1660/s - ie password search took approx 15 days. Unfortunately, the password wasn't found.

O.K. - I can try search password with unchecked "Apply range to singele bytes" (15 more days), or I can try search password in range 00 00 00 00 - 7F FF FF FF with and without checking "Apply range to singele bytes" (30 more days). That's quite a lot of time. Therefore, I would like to ask if any of you know the password I search. Or at least some more accurate range in which it is appropriate to look for.
Alternatively - is it possible that the password is located at some address other than the A2h, 7Bh?
Or where else can there be the snag?

Thanks

Hi. In GigaLight modules password is 38343732 and located at address A2h, FCh.

[zburget]

Yes! This is it!

Thank very much!

I had the right numbers but in reverse order
And I didn't know the correct address.

I have tried to search the combination now (when I know it and I know where to look for it). And I found the following:
I must run serach without checked "Apply range to single bytes".
In first step is found range in which password is and in second step is found number combination by one larger. I suppose it would be good to extend "write delay" to a higher value than 10 ms (by default). Range in second step is so small, that even relatively long delay will not be a problem for password searching.

[zburget]

…and one more knowledge/remark to password finder.
If I select Range limit to ASCII*, option Apply range to single bytes is checked without the possibility of uncheck.
Although is password for GigaLight module in range of ASCII numbers, is not possible to find it. Apply on the single bytes would need to turn off.
It would be good to make this option as "checkable" in all cases.