Supermicro/OOB

From Omnia
< Supermicro
Revision as of 19:43, 1 January 2021 by Kenneth (talk | contribs) (Created page with "== License Key == --- : Supermicro IPMI License Key (for updating BIOS) = HMAC-SHA1-96(INPUT: MAC address of BMC, SECRET KEY: 85 44 E3 B4 7E CA 58 F9 58 30 43 F8) https://p...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

License Key

---

Supermicro IPMI License Key (for updating BIOS) = HMAC-SHA1-96(INPUT: MAC address of BMC, SECRET KEY: 85 44 E3 B4 7E CA 58 F9 58 30 43 F8)

DdXliGRXcAESVzv.jpg

Peter Kleissner on Twitter: "Supermicro IPMI License Key (for updating BIOS) = HMAC-SHA1-96(INPUT: MAC address of BMC, SECRET KEY: 85 44 E3 B4 7E CA 58 F9 58 30 43 F8)… https://t.co/L5jjPh8oMP" - https://twitter.com/kleissner/status/996955400787423232?lang=en

---

Supermicro enforces a vendor-lock in on BIOS updates via IPMI, even though they publish the update files for free here. The only free alternative is to time-travel to 1995 and boot from a DOS disk to supply the update. All other options (including the Supermicro Server Manager) require a license.

They published BIOS updates to address Spectre and Meltdown vulnerabilities, yet make it almost impossible to actually perform the update. Even if you go their suggested way, buying a key from an authorized Supermicro reseller people on the internet report it’s difficult and time consuming getting them. I was quoted 25 EUR and an estimated 2 weeks delivery time.

You buy a brand new product, it has a known vulnerability and you should pay for the update?! This is simply NOT acceptable. As the owner of my device I shall be free to update it. Therefore, I spent exactly 1 night reverse engineering this thing to figure out the license key algorithm. tl;dr here is the algorithm to generate those license keys:

MAC-SHA1-96(INPUT: MAC address of BMC, SECRET KEY: 85 44 E3 B4 7E CA 58 F9 58 30 43 F8)

Anybody can create the license key on https://cryptii.com (Bytes - HMAC - 2 Bytes) by typing on the left side (select Bytes) the MAC address of the IPMI (the BMC), select in the middle HMAC and SHA-1, enter the secret key and on the right side the License Key will appear!

This was successfully tested with Supermicro mainboards from 2013-2018. It appears they have not changed the algorithm and use the same “secret”. The first 6 groups go in here:

Update 1/14/2019: The Twitter user @astraleureka posted this code perl code which is generating the license key:

license.pl: 

#!/usr/bin/perl
# perl -MCPAN -e "install Digest::HMAC_SHA1"
use strict;
use Digest::HMAC_SHA1 'hmac_sha1';
my $key  = "\x85\x44\xe3\xb4\x7e\xca\x58\xf9\x58\x30\x43\xf8";
my $mac  = shift || die 'args: mac-addr (i.e. 00:25:90:cd:26:da)';
my $data = join '', map { chr hex $_ } split ':', $mac;
my $raw  = hmac_sha1($data, $key);
printf "%02lX%02lX-%02lX%02lX-%02lX%02lX-%02lX%02lX-%02lX%02lX-%02lX%02lX\n", (map { ord $_ } split '', $raw);

license.sh: 

echo -n 'bmc-mac' | xxd -r -p | openssl dgst -sha1 -mac HMAC -macopt hexkey:8544E3B47ECA58F9583043F8 | awk '{print $2}' | cut -c 1-24

Example: 

$ echo -n 'ac-1f-xx-xx-xx-xx' | license.sh
6a71xxxxxxxxxxxxxxxxf788


Reverse Engineering Supermicro IPMI – peterkleissner.com - https://peterkleissner.com/2018/05/27/reverse-engineering-supermicro-ipmi/

---

Bash script:

license.sh: 

#!/bin/bash
function hash_mac {
  mac="$1"
  key="8544e3b47eca58f9583043f8"
  sub="\x"
  #convert mac to hex
  hexmac="\x${mac//:/$sub}"
  #create hash
  code=$(printf "$hexmac" | openssl dgst -sha1 -mac HMAC -macopt hexkey:"$key")
  #echo "$mac"
  #echo "$hexmac"
  #echo "$code"
  echo "${code:9:4}-${code:13:4}-${code:17:4}-${code:21:4}-${code:25:4}-${code:29:4}"
}
# hex output with input
hash_mac "$1"

activate.sh: 

#!/bin/bash

# perl -MCPAN -e "install Digest::HMAC_SHA1"

MAC=`ipmitool lan print | grep "MAC Address" | awk '{print $4}'`
#KEY=`./license.pl $MAC`
KEY=`./license.sh $MAC`
./sum -c ActivateProductKey --key $KEY

ref: https://www.virtuallifestyle.nl/2016/08/better-way-update-supermicro-bios-via-ipmi/

---

Or all in one:

activate.sh: 

#!/bin/bash
function hash_mac {
  mac="$1"
  key="8544e3b47eca58f9583043f8"
  sub="\x"
  #convert mac to hex
  hexmac="\x${mac//:/$sub}"
  #create hash
  code=$(printf "$hexmac" | openssl dgst -sha1 -mac HMAC -macopt hexkey:"$key")
  #DEBUG
  #echo "$mac"
  #echo "$hexmac"
  #echo "$code"
  echo "${code:9:4}-${code:13:4}-${code:17:4}-${code:21:4}-${code:25:4}-${code:29:4}"
}

MAC=$( ipmitool lan print | grep "MAC Address" | awk '{print $4}' )

# hex output with input
KEY=$(hash_mac "$MAC")

./sum -c ActivateProductKey --key $KEY

Improved: 

#!/bin/bash
function hash_mac {
  mac="$1"  # upper case or lower case, doesn't matter
  key="8544e3b47eca58f9583043f8"
  #convert mac to hex
  echo "$mac" | grep ':' > /dev/null
  if [ $? -ne 0 ] ; then
    hexmac="\x${mac:0:2}\x${mac:2:2}\x${mac:4:2}\x${mac:6:2}\x${mac:8:2}\x${mac:10:2}"
  else
    sub="\x"
    hexmac="\x${mac//:/$sub}"
  fi
  #create hash
  code=$(printf "$hexmac" | openssl dgst -sha1 -mac HMAC -macopt hexkey:"$key")
  #echo "$mac"
  #echo "$hexmac"
  #echo "$code"
  echo "${code:9:4}-${code:13:4}-${code:17:4}-${code:21:4}-${code:25:4}-${code:29:4}"
}

if [ "$1" == "" ] ; then
  echo "Usage: $0 [MAC]"
fi

# hex output with input
hash_mac "$1"
Retrieved from "https://aznot.com/index.php?title=Supermicro/OOB&oldid=5800"