Writing protected SFP / QSFP / XFP and searching password (brute force method)

Interesting examples and tutorials about REVELPROG-IS features and device programming
Posts: 1132
Joined: Wed Mar 25, 2015 8:54 am
Location: Warsaw, Poland
Has thanked: 32 times
Been thanked: 109 times

Writing protected SFP / QSFP / XFP and searching password (brute force method)

Postby ArT » Mon Jan 20, 2020 2:43 pm

Optical transceivers (SFP/SFP+, QSFP/QSFP+, XFP) may be write protected or unprotected. Most OEM transceivers are not protected so it can be easly modified and programmed. But many populars manufacturers (e.g. HP, Cisco, Finisar, JDSU etc.) are protecting their transceivers so it can be read, but it can not be write. Sometimes it is protected with password (most cases), sometimes it's protected at manufacturing process and can not be edited in future (rarely). In this subject I'll describe protecting mechanism using password. I'll show you also tool for brute force password and hacking password.

The're 2 types of passwords:

  • host password (also known as user password)
  • manufacturer password
MSA Standard password types
passwords.png (172.19 KiB) Viewed 6886 times

Host/User Password

Host password is protecting User Writable EEPROM area - if you know password you can modify only user eeprom. Location of this area vary depends on transceiver type, e.g. for SFP it's page 0 in block A2h, for QSFP it's page 2 in block A0h, for XFP it's table 2 in block A0h (please check MSA Standard specification for SFP/QSFP/XFP, e.g. SFF-8472, SFF-8636, INF-8077i for more details). In most cases user can change this password (if current password is known). All factory new transceivers should have default host password: 00h 00h 10h 11h

Manufacturer Password

Manufacturer password is protecting whole memory map, e.g. serial number, product name, manufacturer name etc. - if you know manufacturer password you can modify anything. Only manufacturer know this password and they do not want to share it with anyone.

Password location

Password is 4 byte length and should be entered in:
  • Block A2h, offset 7Bh for SFP / SFP+
  • Block A0h, offset 7Bh for QSFP/QSFP+ and XFP

In REVELPROG-IS it is dedicated function for entering password:
Unlocking QSFP / SFP / XFP transceivers with password
qsfp-sfp-xfp_password-tool.png (6.33 KiB) Viewed 6889 times

When you enter valid password you will unlock transceiver. Valid manufacturer password will unlock whole EEPROM. Valid host password will unlock only user eeprom area.

Hacking password (brute-force method)

In REVELPROG-IS it is dedicated tool for searching password:
Brute force password for SFP / QSFP / XFP transceivers
SFP_search_password.png (16.42 KiB) Viewed 6889 times

You can search Host password and Manufacturer password.

YouTube video with example: https://www.youtube.com/watch?v=ca7n3T7THyE

For host password it's recommended to search only ASCII letters, numbers and special characters (you can limit searching range) so in worst case scenario you will need to check ~81 millions of combinations. Please note that based on MSA standard default host password should be 0x00 0x00 0x10 0x11 for all new transceivers.

For manufacturer password you will need to check all combinations, but based on MSA standard it should be in range of 0x80000000 to 0xFFFFFFFF so in worst case scenario you will need to check ~2 billions of combination. You have no real chances doing it manually, but with REVELPROG-IS password tool for SFP/QSFP/XFP it's possible. It's not easy, but possible.

REVELPROG-IS is very fast programmer - all depends on transceiver speed. Programmer has implemented smart procedures so it's adjusting brute force speed to work as fast as possible with different modules. For most transceivers it will search about 300 passwords per second, so to find host password (ASCII chars only) you will need about 3 days (worst case scenario). For manufacturer password it's more complicated, because you have a looooot of combinations (2 147 483 648 to be specific :twisted: ), even if it's checking ~300 passwords/s you will need about 100 days to check all combinations. But MCU based QSFP+ & SFP+ transceivers with FRAM or FLASH (EEPROM emulation) are much faster, so you can make use from REVELPROG-IS real potential. Maximum search speed (from tests) it's about 4000 passwords per seconds, so you will need less then 6 hours (worst case scenario) to find host password and about 5 days (or less if you have luck 8-) ) to find manufacturer password.
Searching SFP host password with maximum speed (fastest SFP transceivers)
sfp-searching-host-password.png (23.16 KiB) Viewed 6889 times

It's really fast for a such huge number of possible combinations. And you do not have to check all combinations - if you have any information in what range will be password you can limit this range.

For example, SFP Finisar FTLF8524P2BNV - it took 29 hours to find manufacturer password (checking all combinations). Sorry for screen in Polish, but it was searching password on few computers and Polish language was set:
SFP FINISAR_FTLF8524P2BNV found manufacturer password
FINISAR_Manufacturer-Password.png (90.29 KiB) Viewed 6889 times

With known manufacturer password you can edit serial number, product name, vendor name etc. You can edit all EEPROM area.

OEM Transceivers

The other solution is to buy OEM unprotected transceiver. There are many SFP/QSFP/XFP manufacturers which offer unprotected modules in MSA standard. You can read protected transceiver and you can copy it to other, not protected transceiver. It will work in most cases.

Tools used in this tutorial (REVELPROG-IS programmer + QSFP/SFP/XFP Adapter)

In this tutorial I used REVELPROG-IS programmer with dedicated Adapter for QSFP/SFP/XFP transceivers.
Adapter for QSFP SFP XFP transceivers and REVELPROG-IS programmer
Adapter-for-QSFP-SFP-XFP-and-REVELPROG-IS.png (442.38 KiB) Viewed 6889 times

REVELPROG-IS is serial programmer with dedicated features for SFP / QSFP / XFP transceivers. It allows to read/write transceiver eeprom, modify vendor name, serial number, transceiver configuration, read diagnostic data, modify user area and any page or table in memory map
REVELPROG-IS software with dedicated features for optical transceivers
REVELPROG-IS_SFP_Software.png (53.68 KiB) Viewed 6889 times

Posts: 1
Joined: Tue Feb 18, 2020 12:30 pm

Re: Writing protected SFP / QSFP / XFP and searching password (brute force method)

Postby marteepee » Tue Feb 18, 2020 12:52 pm

Functionality usefulness confirmed.
Password found after 2 days of searching. Fortunately manufacturer use the same password for all SFP's of the same family.
Great job Reveltronics Team! Thanks!
PS. Manufacturer and password not shown on the public for objective reasons ;)

Posts: 1132
Joined: Wed Mar 25, 2015 8:54 am
Location: Warsaw, Poland
Has thanked: 32 times
Been thanked: 109 times

Re: Writing protected SFP / QSFP / XFP and searching password (brute force method)

Postby ArT » Tue Feb 23, 2021 4:27 pm

In incomming update v1.8.4 (available soon!) there are many improvements for SFP/QSFP/XFP Password Tool. Thank you all REVELPROG-IS Users for their suggestions how to improve this tool and make it more and more useful.

1. Added possibility to import passwords from dictionary file - if someone would like to check only specific passwords, he can list them in TXT file and import this file in application:
sfp-passwrd-from-dictionary.png (53.04 KiB) Viewed 863 times

Password file should be in .txt format and should contains 1 password per 1 line as hex values, for example:

Code: Select all


2. Save found password in manufacturer name
By default when programmer find password it overwrites first 4 characters in manufacturer name. This may be helpful when you left computer working for few days and something bad happen (e.g. computer freeze) so you can check if password was found. Since v1.8.4 this feature can be disabled with checkbox (see screenshots above) and original manufacturer name will be restored.
password-saved-in-manufacturer-name.png (16.8 KiB) Viewed 863 times

3. Improved auto-adjust for write-delay time
Now auto-adjust works better. In more cases it's able to detect lowest possible delay at which it will be able to detect valid password. Still it's not possible for all transceivers, but in most cases it works fine. If you see that auto adjust set write delay time to 0.00ms you should not trust it because it may skip valid password during search (some transceivers are operating on RAM and in such case auto adjust will not work). But if you see it's e.g. 0.1ms or 1ms etc (value greater than 0) than it's probably fine. You can preview which value was set here:
auto-adjust-write-delay.png (28.87 KiB) Viewed 863 times

Anyway, MSA standard recommends to use write delay 80.00ms. It guarantees that you do not skip valid passwords. But with 80ms delay searching password will take ages, so for first loop you can try with autodelay (if it set >0.01ms). You can also set manual delay to 0.10ms / 1.0 ms / 10ms if autodelay does not work (pick lowest value where you do not have timeout). REVELPROG-IS is using smart alghoritm for low delays using weak points of physical EEPROM/FLASH memory so in most cases you can find password with success using very small delays (e.g 0.1ms). If you do not find password with this delay you can try with 80ms and limited range e.g. to ASCII characters (because I guess you do not have 10+ years to check all combinations).

It's always good to start searching password by limiting range to ASCII characters - e.g. 0-9 digits or small/big letters(a-z & A-Z) because there is quite big chance that manufacturer set password using console and keyboard ;)
sfp-password-range-limit.png (7.02 KiB) Viewed 863 times

I hope you will like these improvements!

Return to “Tutorials and Examples”

Who is online

Users browsing this forum: No registered users and 1 guest