Writing protected SFP / QSFP / XFP and searching password (brute force method)

Interesting examples and tutorials about REVELPROG-IS features and device programming
ArT
Posts: 1533
Joined: Wed Mar 25, 2015 8:54 am
Location: Warsaw, Poland
Has thanked: 55 times
Been thanked: 163 times

Writing protected SFP / QSFP / XFP and searching password (brute force method)

Postby ArT » Mon Jan 20, 2020 2:43 pm

Optical transceivers (SFP/SFP+, QSFP/QSFP+, XFP) may be write protected or unprotected. Most OEM transceivers are not protected so it can be easly modified and programmed. But many populars manufacturers (e.g. HP, Cisco, Finisar, JDSU etc.) are protecting their transceivers so it can be read, but it can not be write. Sometimes it is protected with password (most cases), sometimes it's protected at manufacturing process and can not be edited in future (rarely). In this subject I'll describe protecting mechanism using password. I'll show you also tool for brute force password and hacking password.

The're 2 types of passwords:

  • host password (also known as user password)
  • manufacturer password
passwords.png
MSA Standard password types
passwords.png (172.19 KiB) Viewed 28678 times


Host/User Password

Host password is protecting User Writable EEPROM area - if you know password you can modify only user eeprom. Location of this area vary depends on transceiver type, e.g. for SFP it's page 0 in block A2h, for QSFP it's page 2 in block A0h, for XFP it's table 2 in block A0h (please check MSA Standard specification for SFP/QSFP/XFP, e.g. SFF-8472, SFF-8636, INF-8077i for more details). In most cases user can change this password (if current password is known). All factory new transceivers should have default host password: 00h 00h 10h 11h

Manufacturer Password

Manufacturer password is protecting whole memory map, e.g. serial number, product name, manufacturer name etc. - if you know manufacturer password you can modify anything. Only manufacturer know this password and they do not want to share it with anyone.

Password location

Password is 4 byte length and should be entered in:
  • Block A2h, offset 7Bh for SFP / SFP+
  • Block A0h, offset 7Bh for QSFP/QSFP+ and XFP

In REVELPROG-IS it is dedicated function for entering password:
qsfp-sfp-xfp_password-tool.png
Unlocking QSFP / SFP / XFP transceivers with password
qsfp-sfp-xfp_password-tool.png (6.33 KiB) Viewed 28681 times

When you enter valid password you will unlock transceiver. Valid manufacturer password will unlock whole EEPROM. Valid host password will unlock only user eeprom area.

Hacking password (brute-force method)

In REVELPROG-IS it is dedicated tool for searching password:
SFP_search_password.png
Brute force password for SFP / QSFP / XFP transceivers
SFP_search_password.png (16.42 KiB) Viewed 28681 times

You can search Host password and Manufacturer password.

YouTube video with example: https://www.youtube.com/watch?v=ca7n3T7THyE

For host password it's recommended to search only ASCII letters, numbers and special characters (you can limit searching range) so in worst case scenario you will need to check ~81 millions of combinations. Please note that based on MSA standard default host password should be 0x00 0x00 0x10 0x11 for all new transceivers.

For manufacturer password you will need to check all combinations, but based on MSA standard it should be in range of 0x80000000 to 0xFFFFFFFF so in worst case scenario you will need to check ~2 billions of combination. You have no real chances doing it manually, but with REVELPROG-IS password tool for SFP/QSFP/XFP it's possible. It's not easy, but possible.

REVELPROG-IS is very fast programmer - all depends on transceiver speed. Programmer has implemented smart procedures so it's adjusting brute force speed to work as fast as possible with different modules. For most transceivers it will search about 300 passwords per second, so to find host password (ASCII chars only) you will need about 3 days (worst case scenario). For manufacturer password it's more complicated, because you have a looooot of combinations (2 147 483 648 to be specific :twisted: ), even if it's checking ~300 passwords/s you will need about 100 days to check all combinations. But MCU based QSFP+ & SFP+ transceivers with FRAM or FLASH (EEPROM emulation) are much faster, so you can make use from REVELPROG-IS real potential. Maximum search speed (from tests) it's about 4000 passwords per seconds, so you will need less then 6 hours (worst case scenario) to find host password and about 5 days (or less if you have luck 8-) ) to find manufacturer password.
sfp-searching-host-password.png
Searching SFP host password with maximum speed (fastest SFP transceivers)
sfp-searching-host-password.png (23.16 KiB) Viewed 28681 times

It's really fast for a such huge number of possible combinations. And you do not have to check all combinations - if you have any information in what range will be password you can limit this range.

For example, SFP Finisar FTLF8524P2BNV - it took 29 hours to find manufacturer password (checking all combinations). Sorry for screen in Polish, but it was searching password on few computers and Polish language was set:
FINISAR_Manufacturer-Password.png
SFP FINISAR_FTLF8524P2BNV found manufacturer password
FINISAR_Manufacturer-Password.png (90.29 KiB) Viewed 28681 times

With known manufacturer password you can edit serial number, product name, vendor name etc. You can edit all EEPROM area.

OEM Transceivers

The other solution is to buy OEM unprotected transceiver. There are many SFP/QSFP/XFP manufacturers which offer unprotected modules in MSA standard. You can read protected transceiver and you can copy it to other, not protected transceiver. It will work in most cases.

Tools used in this tutorial (REVELPROG-IS programmer + QSFP/SFP/XFP Adapter)

In this tutorial I used REVELPROG-IS programmer with dedicated Adapter for QSFP/SFP/XFP transceivers.
Adapter-for-QSFP-SFP-XFP-and-REVELPROG-IS.png
Adapter for QSFP SFP XFP transceivers and REVELPROG-IS programmer
Adapter-for-QSFP-SFP-XFP-and-REVELPROG-IS.png (442.38 KiB) Viewed 28681 times

REVELPROG-IS is serial programmer with dedicated features for SFP / QSFP / XFP transceivers. It allows to read/write transceiver eeprom, modify vendor name, serial number, transceiver configuration, read diagnostic data, modify user area and any page or table in memory map
REVELPROG-IS_SFP_Software.png
REVELPROG-IS software with dedicated features for optical transceivers
REVELPROG-IS_SFP_Software.png (53.68 KiB) Viewed 28681 times

marteepee
Posts: 1
Joined: Tue Feb 18, 2020 12:30 pm

Re: Writing protected SFP / QSFP / XFP and searching password (brute force method)

Postby marteepee » Tue Feb 18, 2020 12:52 pm

Functionality usefulness confirmed.
Password found after 2 days of searching. Fortunately manufacturer use the same password for all SFP's of the same family.
Great job Reveltronics Team! Thanks!
PS. Manufacturer and password not shown on the public for objective reasons ;)

ArT
Posts: 1533
Joined: Wed Mar 25, 2015 8:54 am
Location: Warsaw, Poland
Has thanked: 55 times
Been thanked: 163 times

Re: Writing protected SFP / QSFP / XFP and searching password (brute force method)

Postby ArT » Tue Feb 23, 2021 4:27 pm

In incomming update v1.8.4 (available soon!) there are many improvements for SFP/QSFP/XFP Password Tool. Thank you all REVELPROG-IS Users for their suggestions how to improve this tool and make it more and more useful.

1. Added possibility to import passwords from dictionary file - if someone would like to check only specific passwords, he can list them in TXT file and import this file in application:
sfp-passwrd-from-dictionary.png
sfp-passwrd-from-dictionary.png (53.04 KiB) Viewed 22655 times

Password file should be in .txt format and should contains 1 password per 1 line as hex values, for example:

Code: Select all

00001011
00000000
FFFFFFFF
80000000
63737777
10011100


2. Save found password in manufacturer name
By default when programmer find password it overwrites first 4 characters in manufacturer name. This may be helpful when you left computer working for few days and something bad happen (e.g. computer freeze) so you can check if password was found. Since v1.8.4 this feature can be disabled with checkbox (see screenshots above) and original manufacturer name will be restored.
password-saved-in-manufacturer-name.png
password-saved-in-manufacturer-name.png (16.8 KiB) Viewed 22655 times


3. Improved auto-adjust for write-delay time
Now auto-adjust works better. In more cases it's able to detect lowest possible delay at which it will be able to detect valid password. Still it's not possible for all transceivers, but in most cases it works fine. If you see that auto adjust set write delay time to 0.00ms you should not trust it because it may skip valid password during search (some transceivers are operating on RAM and in such case auto adjust will not work). But if you see it's e.g. 0.1ms or 1ms etc (value greater than 0) than it's probably fine. You can preview which value was set here:
auto-adjust-write-delay.png
auto-adjust-write-delay.png (28.87 KiB) Viewed 22655 times

Anyway, MSA standard recommends to use write delay 80.00ms. It guarantees that you do not skip valid passwords. But with 80ms delay searching password will take ages, so for first loop you can try with autodelay (if it set >0.01ms). You can also set manual delay to 0.10ms / 1.0 ms / 10ms if autodelay does not work (pick lowest value where you do not have timeout). REVELPROG-IS is using smart alghoritm for low delays using weak points of physical EEPROM/FLASH memory so in most cases you can find password with success using very small delays (e.g 0.1ms). If you do not find password with this delay you can try with 80ms and limited range e.g. to ASCII characters (because I guess you do not have 10+ years to check all combinations).

It's always good to start searching password by limiting range to ASCII characters - e.g. 0-9 digits or small/big letters(a-z & A-Z) because there is quite big chance that manufacturer set password using console and keyboard ;)
sfp-password-range-limit.png
sfp-password-range-limit.png (7.02 KiB) Viewed 22655 times

I hope you will like these improvements!

manias21
Posts: 4
Joined: Sun Oct 24, 2021 2:27 am

Re: Writing protected SFP / QSFP / XFP and searching password (brute force method)

Postby manias21 » Sun Oct 24, 2021 2:40 am

Is it possible to read or write the W25Q64JV from the sfp without extracting it?

ArT
Posts: 1533
Joined: Wed Mar 25, 2015 8:54 am
Location: Warsaw, Poland
Has thanked: 55 times
Been thanked: 163 times

Re: Writing protected SFP / QSFP / XFP and searching password (brute force method)

Postby ArT » Sun Oct 24, 2021 10:48 pm

Yes you can try program it without desoldering if you can locate and connect MISO, MOSI, SCK and CS signals (plus power and ground). I can help you locate these signals if you send me pictures of your sfp (high res of board inside). It's not possible to programm it without opening SFP enclosure because these signals are not connected to external connector in SFP.

manias21
Posts: 4
Joined: Sun Oct 24, 2021 2:27 am

Re: Writing protected SFP / QSFP / XFP and searching password (brute force method)

Postby manias21 » Mon Oct 25, 2021 11:51 am

Te comprendo ahora, lo importante es conocer....
¿es posible utilizar algun adaptador para este proceso?

I understand you now, the important thing is to know ...
Is it possible to use an adapter for this process?

ArT
Posts: 1533
Joined: Wed Mar 25, 2015 8:54 am
Location: Warsaw, Poland
Has thanked: 55 times
Been thanked: 163 times

Re: Writing protected SFP / QSFP / XFP and searching password (brute force method)

Postby ArT » Mon Oct 25, 2021 8:38 pm

If FLASH is in SOIC-8 package you can use SOIC-8 clip, but if it's in WSON-8 or QFN-8 package you will need to find above signals somewhere on board or desolder the chip (because these types of packages have pads hidden on the bottom side of the chip)

siedar
Posts: 1
Joined: Thu May 12, 2022 2:32 pm

Re: Writing protected SFP / QSFP / XFP and searching password (brute force method)

Postby siedar » Thu May 12, 2022 2:39 pm

I'm looking for someone who passed program Sumitommo Electric (for Alcatel Lucent) SFP+ 10G SPP52000ER-A8 with Revelprog?

I can read A0/A2 but programing isn't possible. Access to memory is very slow to use BF.

Any ideas?

Best regards
Darius

thankfly
Posts: 23
Joined: Wed Mar 17, 2021 12:58 am
Been thanked: 8 times

Re: Writing protected SFP / QSFP / XFP and searching password (brute force method)

Postby thankfly » Mon May 16, 2022 5:16 am

siedar wrote:I'm looking for someone who passed program Sumitommo Electric (for Alcatel Lucent) SFP+ 10G SPP52000ER-A8 with Revelprog?

I can read A0/A2 but programing isn't possible. Access to memory is very slow to use BF.

Any ideas?

Best regards
Darius

Sumitomo need special hareware program to write.

veegee
Posts: 4
Joined: Thu Jul 14, 2022 10:23 pm

Re: Writing protected SFP / QSFP / XFP and searching password (brute force method)

Postby veegee » Thu Jul 14, 2022 10:24 pm

thankfly wrote:
siedar wrote:I'm looking for someone who passed program Sumitommo Electric (for Alcatel Lucent) SFP+ 10G SPP52000ER-A8 with Revelprog?

I can read A0/A2 but programing isn't possible. Access to memory is very slow to use BF.

Any ideas?

Best regards
Darius

Sumitomo need special hareware program to write.


Can you elaborate on this? What makes those transceivers special? Also, are HP transceivers different in any way?


Return to “Tutorials and Examples”

Who is online

Users browsing this forum: No registered users and 2 guests