Writing protected SFP / QSFP / XFP and searching password (brute force method)
Posted: Mon Jan 20, 2020 2:43 pm
Optical transceivers (SFP/SFP+, QSFP/QSFP+, XFP) may be write protected or unprotected. Most OEM transceivers are not protected so it can be easly modified and programmed. But many populars manufacturers (e.g. HP, Cisco, Finisar, JDSU etc.) are protecting their transceivers so it can be read, but it can not be write. Sometimes it is protected with password (most cases), sometimes it's protected at manufacturing process and can not be edited in future (rarely). In this subject I'll describe protecting mechanism using password. I'll show you also tool for brute force password and hacking password.
The're 2 types of passwords:
Host/User Password
Host password is protecting User Writable EEPROM area - if you know password you can modify only user eeprom. Location of this area vary depends on transceiver type, e.g. for SFP it's page 0 in block A2h, for QSFP it's page 2 in block A0h, for XFP it's table 2 in block A0h (please check MSA Standard specification for SFP/QSFP/XFP, e.g. SFF-8472, SFF-8636, INF-8077i for more details). In most cases user can change this password (if current password is known). All factory new transceivers should have default host password: 00h 00h 10h 11h
Manufacturer Password
Manufacturer password is protecting whole memory map, e.g. serial number, product name, manufacturer name etc. - if you know manufacturer password you can modify anything. Only manufacturer know this password and they do not want to share it with anyone.
Password location
Password is 4 byte length and should be entered in:
In REVELPROG-IS it is dedicated function for entering password:
When you enter valid password you will unlock transceiver. Valid manufacturer password will unlock whole EEPROM. Valid host password will unlock only user eeprom area.
Hacking password (brute-force method)
In REVELPROG-IS it is dedicated tool for searching password:
You can search Host password and Manufacturer password.
YouTube video with example: https://www.youtube.com/watch?v=ca7n3T7THyE
For host password it's recommended to search only ASCII letters, numbers and special characters (you can limit searching range) so in worst case scenario you will need to check ~81 millions of combinations. Please note that based on MSA standard default host password should be 0x00 0x00 0x10 0x11 for all new transceivers.
For manufacturer password you will need to check all combinations, but based on MSA standard it should be in range of 0x80000000 to 0xFFFFFFFF so in worst case scenario you will need to check ~2 billions of combination. You have no real chances doing it manually, but with REVELPROG-IS password tool for SFP/QSFP/XFP it's possible. It's not easy, but possible.
REVELPROG-IS is very fast programmer - all depends on transceiver speed. Programmer has implemented smart procedures so it's adjusting brute force speed to work as fast as possible with different modules. For most transceivers it will search about 300 passwords per second, so to find host password (ASCII chars only) you will need about 3 days (worst case scenario). For manufacturer password it's more complicated, because you have a looooot of combinations (2 147 483 648 to be specific ), even if it's checking ~300 passwords/s you will need about 100 days to check all combinations. But MCU based QSFP+ & SFP+ transceivers with FRAM or FLASH (EEPROM emulation) are much faster, so you can make use from REVELPROG-IS real potential. Maximum search speed (from tests) it's about 4000 passwords per seconds, so you will need less then 6 hours (worst case scenario) to find host password and about 5 days (or less if you have luck ) to find manufacturer password.
It's really fast for a such huge number of possible combinations. And you do not have to check all combinations - if you have any information in what range will be password you can limit this range.
For example, SFP Finisar FTLF8524P2BNV - it took 29 hours to find manufacturer password (checking all combinations). Sorry for screen in Polish, but it was searching password on few computers and Polish language was set:
With known manufacturer password you can edit serial number, product name, vendor name etc. You can edit all EEPROM area.
OEM Transceivers
The other solution is to buy OEM unprotected transceiver. There are many SFP/QSFP/XFP manufacturers which offer unprotected modules in MSA standard. You can read protected transceiver and you can copy it to other, not protected transceiver. It will work in most cases.
Tools used in this tutorial (REVELPROG-IS programmer + QSFP/SFP/XFP Adapter)
In this tutorial I used REVELPROG-IS programmer with dedicated Adapter for QSFP/SFP/XFP transceivers.
REVELPROG-IS is serial programmer with dedicated features for SFP / QSFP / XFP transceivers. It allows to read/write transceiver eeprom, modify vendor name, serial number, transceiver configuration, read diagnostic data, modify user area and any page or table in memory map
The're 2 types of passwords:
- host password (also known as user password)
- manufacturer password
Host/User Password
Host password is protecting User Writable EEPROM area - if you know password you can modify only user eeprom. Location of this area vary depends on transceiver type, e.g. for SFP it's page 0 in block A2h, for QSFP it's page 2 in block A0h, for XFP it's table 2 in block A0h (please check MSA Standard specification for SFP/QSFP/XFP, e.g. SFF-8472, SFF-8636, INF-8077i for more details). In most cases user can change this password (if current password is known). All factory new transceivers should have default host password: 00h 00h 10h 11h
Manufacturer Password
Manufacturer password is protecting whole memory map, e.g. serial number, product name, manufacturer name etc. - if you know manufacturer password you can modify anything. Only manufacturer know this password and they do not want to share it with anyone.
Password location
Password is 4 byte length and should be entered in:
- Block A2h, offset 7Bh for SFP / SFP+
- Block A0h, offset 7Bh for QSFP/QSFP+ and XFP
In REVELPROG-IS it is dedicated function for entering password:
When you enter valid password you will unlock transceiver. Valid manufacturer password will unlock whole EEPROM. Valid host password will unlock only user eeprom area.
Hacking password (brute-force method)
In REVELPROG-IS it is dedicated tool for searching password:
You can search Host password and Manufacturer password.
YouTube video with example: https://www.youtube.com/watch?v=ca7n3T7THyE
For host password it's recommended to search only ASCII letters, numbers and special characters (you can limit searching range) so in worst case scenario you will need to check ~81 millions of combinations. Please note that based on MSA standard default host password should be 0x00 0x00 0x10 0x11 for all new transceivers.
For manufacturer password you will need to check all combinations, but based on MSA standard it should be in range of 0x80000000 to 0xFFFFFFFF so in worst case scenario you will need to check ~2 billions of combination. You have no real chances doing it manually, but with REVELPROG-IS password tool for SFP/QSFP/XFP it's possible. It's not easy, but possible.
REVELPROG-IS is very fast programmer - all depends on transceiver speed. Programmer has implemented smart procedures so it's adjusting brute force speed to work as fast as possible with different modules. For most transceivers it will search about 300 passwords per second, so to find host password (ASCII chars only) you will need about 3 days (worst case scenario). For manufacturer password it's more complicated, because you have a looooot of combinations (2 147 483 648 to be specific ), even if it's checking ~300 passwords/s you will need about 100 days to check all combinations. But MCU based QSFP+ & SFP+ transceivers with FRAM or FLASH (EEPROM emulation) are much faster, so you can make use from REVELPROG-IS real potential. Maximum search speed (from tests) it's about 4000 passwords per seconds, so you will need less then 6 hours (worst case scenario) to find host password and about 5 days (or less if you have luck ) to find manufacturer password.
It's really fast for a such huge number of possible combinations. And you do not have to check all combinations - if you have any information in what range will be password you can limit this range.
For example, SFP Finisar FTLF8524P2BNV - it took 29 hours to find manufacturer password (checking all combinations). Sorry for screen in Polish, but it was searching password on few computers and Polish language was set:
With known manufacturer password you can edit serial number, product name, vendor name etc. You can edit all EEPROM area.
OEM Transceivers
The other solution is to buy OEM unprotected transceiver. There are many SFP/QSFP/XFP manufacturers which offer unprotected modules in MSA standard. You can read protected transceiver and you can copy it to other, not protected transceiver. It will work in most cases.
Tools used in this tutorial (REVELPROG-IS programmer + QSFP/SFP/XFP Adapter)
In this tutorial I used REVELPROG-IS programmer with dedicated Adapter for QSFP/SFP/XFP transceivers.
REVELPROG-IS is serial programmer with dedicated features for SFP / QSFP / XFP transceivers. It allows to read/write transceiver eeprom, modify vendor name, serial number, transceiver configuration, read diagnostic data, modify user area and any page or table in memory map