Key Features Intel Atom Processor C3955, Single Socket FCBGA1310 supported, CPU TDP support 32W System on Chip Up to 256GB Registered ECC DDR4-2400MHz, Up to 64GB Unbuffered ECC/Non-ECC DDR4-2400MHz; in 4 DIMM slots Expansion slots: 1 PCI-E 3.0 x4, M.2 Interface: PCI-E 3.0 x2 and SATA M.2 Form Factor: 2242, 2280 M.2 Key: M-Key 4 GbE LAN ports 12 SATA3 (6 Gbps) ports I/O: 1 VGA, 1.
Supermicro's compact server designs provide excellent compute, networking, storage and I/O expansion in a variety of form factors, from space-saving fanless to rackmount. Hard drive backplane serial number stickers are located below the product number: Memory module serial number stickers are located on the right side of the module. I have a Supermicro IPMI and I read you can use dmidecode to determine which one it is. But all I get for the info is: Handle 0x0001, DMI type 1, 27 bytes System Information Manufacturer: Supermicro Product Name: X9SCL/X9SCM Version: Serial Number: UUID:. Wake-up Type: Power Switch SKU Number: To be filled by O.E.M. Family: To be filled by O.E.M. Shop and upgrade thousands of Supermicro certified parts like hard drive, memory module, heatsink, cables, and transceivers for your server system Supermicro eStore.
Supermicro enforces a vendor-lock in on BIOS updates via IPMI, even though they publish the update files for free here. The only free alternative is to time-travel to 1995 and boot from a DOS disk to supply the update. All other options (including the Supermicro Server Manager) require a license.
They published BIOS updates to address Spectre and Meltdown vulnerabilities, yet make it almost impossible to actually perform the update. Even if you go their suggested way, buying a key from an authorized Supermicro reseller people on the internet report it’s difficult and time consuming getting them. I was quoted 25 EUR and an estimated 2 weeks delivery time.
You buy a brand new product, it has a known vulnerability and you should pay for the update?! This is simply NOT acceptable. As the owner of my device I shall be free to update it. Therefore, I spent exactly 1 night reverse engineering this thing to figure out the license key algorithm. tl;dr here is the algorithm to generate those license keys:
MAC-SHA1-96(INPUT: MAC address of BMC, SECRET KEY: 85 44 E3 B4 7E CA 58 F9 58 30 43 F8)
Anybody can create the license key on https://cryptii.com/pipes/QiZmdA by typing on the left side (select Bytes) the MAC address of the IPMI (the BMC), select in the middle HMAC and SHA-1, enter the secret key and on the right side the License Key will appear!
This was successfully tested with Supermicro mainboards from 2013-2018. It appears they have not changed the algorithm and use the same “secret”. The first 6 groups go in here:
Update 1/14/2019: The Twitter user @astraleureka posted this code perl code which is generating the license key:
Update 3/27/2019: There is also Linux shell version that uses openssl:
Update 9/15/2019: Twitter user @zanejchua provided the link https://cryptii.com/pipes/QiZmdA which makes it easier to generate the code.
Information about IPMI (skip this if you’re an expert)
The IPMI is a remote management mechanism of servers, embedded in a chip that is separated from the typical resources accessible by the operating system. It allows remote management of servers even when it’s turned off. It’s really useful when your server is not responding and you don’t to want or can’t physically go there to troubleshoot. You can even install an OS via IPMI, start the server & even go into the BIOS. Thanks to HTML5 Supermicro switched away from those old Java applets (anyone developing anything in Java should be banned to a far, far remote island; Java should die in a fire, it’s slow and has 9999 vulnerabilities and on top of that Oracle will go after you for trademark and patent troll reasons even though it’s open source).
References that helped
I want to point out previous research work which helped me a lot.
Step 1: Download & Extract the Firmware
Supermicro offers the IPMI update files for free on their website. You need to select your mainboard and download the IPMI update file. Among other files it will contain 1 large firmware blob, in this case “REDFISH_X10_366.bin”.
The tool binwalk will scan the binary and look for signatures of known formats:
Use a hex editor (such as HxD) to extract the CramFS binaries and store them to new files. It is an embedded compressed Linux file system that contains the files that we are interested in.
Supermicro Bios Update Ipmi
Next get a Linux system and mount both files each with this command and then dump all files into a tar file:
Congrats! You now have the actual files of the IPMI system.
Step 2: Reverse engineer the interesting files on the IPMI file system
Finding the HTML/JS code that provides the user interface for activation was easy: Use the browser’s built-in developer tools (F12) to look at the code, then look for the same code on the extracted IPMI file system.
As you can see below, the IPMI website (that you visit as system administrator) calls “/cgi/ipmi.cgi” with certain parameters for checking if the key is valid.
Supermicro Product Key Office 2010
Here are the breadcrumbs I followed from the website part:
The response is XML with check set to 0 if invalid and 1 if valid (it’s weird that they do not use JSON instead):
Next, we need to use IDA Pro and open the file “ipmi.cgi” that is stored on the IPMI file system and that we extracted in the previous step. Below you can see the code that handles the license check. By reading this code, you can see how the license is supposed to look like. The first loop is hex-decoding the input, i.e. The text key “1234-00FF-0000-0000-0000-0000” becomes binary (12 bytes) 12 34 00 FF 00 00 00 00 00 00 00 00.
The actual check of the license is done in another file “libipmi.so” which implements the referenced function oob_format_license_activate:
You can see here already the actual license key algorithm referenced – HMAC_SHA1. It is important to notice the 12 in the function call, which means 96 bits. The 96 bits is exactly the length of the key, represented in hex to the end-user.
Interestingly there is a function “oob_format_license_create” which creates the license and is even easier to read. You can see directly the reference to the private keys. “oob” means out-of-band, i.e. processing the update via IPMI.
The Supermicro keys are:
HSDC Private Key: 39 CB 2A 1A 3D 74 8F F1 DE E4 6B 87
OOB Private Key: 85 44 E3 B4 7E CA 58 F9 58 30 43 F8
At the beginning of this blog post it is explained how you can easily use this to create your own Supermicro License Key.
Peter Kleissner | 16 May 18 |
Replying to @Kleissner Why I released this: Motherboard owners must have the option to fix critical security vulnerabilities without vendor lock-in. This is ridiculous that BIOS update to newer more secure versions was artificially locked. |
Peter Kleissner | 16 May 18 |
Replying to @Kleissner Anybody can create the Supermicro license key: cryptii.com/hmacpic.twitter.com/JH9jbEdUBv |
Chrisss | 18 Apr 19 |
Replying to @Kleissner thanks peter. I wonder that how do you know this secret key. Can you share the way to get it. I use redfish api and find some api still display license error when i activate supermirco with this generated license. Thanks! |
Peter Kleissner | 18 Apr 19 |
Replying to @Chrisss78007553 Sure, it's documented here: peterkleissner.com/2018/05/27/rev… |
Jens Stork | 22 Apr 19 |
Replying to @Kleissner cool, thx a lot!what do i need the hsdc private key for? |
Peter Kleissner | 22 Apr 19 |
Replying to @printweb That's a good question, I don't know what it is used for |
Mark Foobar | 16 Aug 18 |
Replying to @Kleissner Or in bash: echo -n 'bmc-mac' | xxd -r -p | openssl dgst -sha1 -mac HMAC -macopt hexkey:8544E3B47ECA58F9583043F8 | awk '{print $2}' | cut -c 1-24 |
the vessel of morganna | 16 Aug 18 |
Replying to @maniacnl@Kleissner |
the vessel of morganna @astraleureka | 16 Aug 18 |
RE'd the IPMI a few months ago for the same purpose. Here's my version of a keygen - paste.ee/r/HFSxw |
the vessel of morganna | 16 Aug 18 |
Replying to @Kleissner Interestingly enough, your IDA screenshot looks a lot different than what I found. What revision of the IPMI is this for? I was working with SMT_X9 images (i.e. mirror.astr.al/supermicro/IPM…) |