Writing protected SFP / QSFP / XFP and searching password (brute force method)

Interesting examples and tutorials about REVELPROG-IS features and device programming
Posts: 1069
Joined: Wed Mar 25, 2015 8:54 am
Location: Warsaw, Poland
Has thanked: 24 times
Been thanked: 97 times

Writing protected SFP / QSFP / XFP and searching password (brute force method)

Postby ArT » Mon Jan 20, 2020 2:43 pm

Optical transceivers (SFP/SFP+, QSFP/QSFP+, XFP) may be write protected or unprotected. Most OEM transceivers are not protected so it can be easly modified and programmed. But many populars manufacturers (e.g. HP, Cisco, Finisar, JDSU etc.) are protecting their transceivers so it can be read, but it can not be write. Sometimes it is protected with password (most cases), sometimes it's protected at manufacturing process and can not be edited in future (rarely). In this subject I'll describe protecting mechanism using password. I'll show you also tool for brute force password and hacking password.

The're 2 types of passwords:

  • host password (also known as user password)
  • manufacturer password
MSA Standard password types
passwords.png (172.19 KiB) Viewed 5736 times

Host/User Password

Host password is protecting User Writable EEPROM area - if you know password you can modify only user eeprom. Location of this area vary depends on transceiver type, e.g. for SFP it's page 0 in block A2h, for QSFP it's page 2 in block A0h, for XFP it's table 2 in block A0h (please check MSA Standard specification for SFP/QSFP/XFP, e.g. SFF-8472, SFF-8636, INF-8077i for more details). In most cases user can change this password (if current password is known). All factory new transceivers should have default host password: 00h 00h 10h 11h

Manufacturer Password

Manufacturer password is protecting whole memory map, e.g. serial number, product name, manufacturer name etc. - if you know manufacturer password you can modify anything. Only manufacturer know this password and they do not want to share it with anyone.

Password location

Password is 4 byte length and should be entered in:
  • Block A2h, offset 7Bh for SFP / SFP+
  • Block A0h, offset 7Bh for QSFP/QSFP+ and XFP

In REVELPROG-IS it is dedicated function for entering password:
Unlocking QSFP / SFP / XFP transceivers with password
qsfp-sfp-xfp_password-tool.png (6.33 KiB) Viewed 5739 times

When you enter valid password you will unlock transceiver. Valid manufacturer password will unlock whole EEPROM. Valid host password will unlock only user eeprom area.

Hacking password (brute-force method)

In REVELPROG-IS it is dedicated tool for searching password:
Brute force password for SFP / QSFP / XFP transceivers
SFP_search_password.png (16.42 KiB) Viewed 5739 times

You can search Host password and Manufacturer password.

YouTube video with example: https://www.youtube.com/watch?v=ca7n3T7THyE

For host password it's recommended to search only ASCII letters, numbers and special characters (you can limit searching range) so in worst case scenario you will need to check ~81 millions of combinations. Please note that based on MSA standard default host password should be 0x00 0x00 0x10 0x11 for all new transceivers.

For manufacturer password you will need to check all combinations, but based on MSA standard it should be in range of 0x80000000 to 0xFFFFFFFF so in worst case scenario you will need to check ~2 billions of combination. You have no real chances doing it manually, but with REVELPROG-IS password tool for SFP/QSFP/XFP it's possible. It's not easy, but possible.

REVELPROG-IS is very fast programmer - all depends on transceiver speed. Programmer has implemented smart procedures so it's adjusting brute force speed to work as fast as possible with different modules. For most transceivers it will search about 300 passwords per second, so to find host password (ASCII chars only) you will need about 3 days (worst case scenario). For manufacturer password it's more complicated, because you have a looooot of combinations (2 147 483 648 to be specific :twisted: ), even if it's checking ~300 passwords/s you will need about 100 days to check all combinations. But MCU based QSFP+ & SFP+ transceivers with FRAM or FLASH (EEPROM emulation) are much faster, so you can make use from REVELPROG-IS real potential. Maximum search speed (from tests) it's about 4000 passwords per seconds, so you will need less then 6 hours (worst case scenario) to find host password and about 5 days (or less if you have luck 8-) ) to find manufacturer password.
Searching SFP host password with maximum speed (fastest SFP transceivers)
sfp-searching-host-password.png (23.16 KiB) Viewed 5739 times

It's really fast for a such huge number of possible combinations. And you do not have to check all combinations - if you have any information in what range will be password you can limit this range.

For example, SFP Finisar FTLF8524P2BNV - it took 29 hours to find manufacturer password (checking all combinations). Sorry for screen in Polish, but it was searching password on few computers and Polish language was set:
SFP FINISAR_FTLF8524P2BNV found manufacturer password
FINISAR_Manufacturer-Password.png (90.29 KiB) Viewed 5739 times

With known manufacturer password you can edit serial number, product name, vendor name etc. You can edit all EEPROM area.

OEM Transceivers

The other solution is to buy OEM unprotected transceiver. There are many SFP/QSFP/XFP manufacturers which offer unprotected modules in MSA standard. You can read protected transceiver and you can copy it to other, not protected transceiver. It will work in most cases.

Tools used in this tutorial (REVELPROG-IS programmer + QSFP/SFP/XFP Adapter)

In this tutorial I used REVELPROG-IS programmer with dedicated Adapter for QSFP/SFP/XFP transceivers.
Adapter for QSFP SFP XFP transceivers and REVELPROG-IS programmer
Adapter-for-QSFP-SFP-XFP-and-REVELPROG-IS.png (442.38 KiB) Viewed 5739 times

REVELPROG-IS is serial programmer with dedicated features for SFP / QSFP / XFP transceivers. It allows to read/write transceiver eeprom, modify vendor name, serial number, transceiver configuration, read diagnostic data, modify user area and any page or table in memory map
REVELPROG-IS software with dedicated features for optical transceivers
REVELPROG-IS_SFP_Software.png (53.68 KiB) Viewed 5739 times

Posts: 1
Joined: Tue Feb 18, 2020 12:30 pm

Re: Writing protected SFP / QSFP / XFP and searching password (brute force method)

Postby marteepee » Tue Feb 18, 2020 12:52 pm

Functionality usefulness confirmed.
Password found after 2 days of searching. Fortunately manufacturer use the same password for all SFP's of the same family.
Great job Reveltronics Team! Thanks!
PS. Manufacturer and password not shown on the public for objective reasons ;)

Return to “Tutorials and Examples”

Who is online

Users browsing this forum: No registered users and 1 guest