IMS 5000 system password filed cracked
frustum at pacbell.net
Sun Apr 22 09:27:14 CDT 2007
I've had an IMS 5000 system for about a year; I got it off ebay for a
song ($35), but as I didn't know any login name and corresponding
password, it has been a brick. I've thought of a couple ways to break
the security, which isn't all that secure, but didn't due to lack of
time. Finally I made time last night.
The machine specifically is an IMS 5000 IS. It is a very well built
late model S-100 system, aimed at professional applications. This one
came from a dentists office. The main unit contains a 12" CRT, an
intelligent terminal control board (8085 based) which is connected via
an internal serial port to a Z80 CPU card in the main S-100 chassis.
This is a turbodos system, meaning it is a multiprocessing Z80 system.
Serial ports on the back of the machine can connect to remote terminals;
I have one other remote head, also made by IMS.
The machine has a 10MB Rodime hard drive, still working, a single DSDD
floppy (although there is room for another), a master Z80 CPU, a 64KB
parity checked DRAM card, and two MPUs. An MPU is a card containing a
slave Z80 processor with its own 64KB parity checked DRAM and serial
Although I have the docs showing the gross functionality, I have no
schematics for any of this.
First I rebuilt disk images from Fritz Chwolka's webpage for the IMS
5000, but for whatever reason I couldn't boot these disks. IMS made
more than one configuration of this machine, so it wasn't entirely
unexpected. Next I tried a hardware approach.
The hard disk controller has a 1KB SRAM buffer for holding an inbound or
outbound sector. Programmed IN/OUT transfers fill or drain the buffer,
not DMA. First I verified that the address lines on the RAM were wired
in conventional order by seeing what pins they were wired to on the
74LS193s forming the address counter. The data pin order was more of a
question, but I assumed since the address lines were connected in
consecutive order, so the data pins would be too. I hooked up a logic
analyzer to the RAMs, booted the system, and waited for the password
prompt. I typed some gibberish and hit return, and the logic analyzer
captured the writes to the RAM. I realized the first read or maybe
first few would be reading directory entries to find the USERID.SYS
file, which is a plain text file containing the login names, passwords,
cp/m user area, and privilege level. However, no matter what I did, the
data didn't make sense.
I thought perhaps I messed up the order of the data pins, so I buzzed
out which chip drove the DOn (data out) S100 pins. Again, I did the
login thing, assuming that any time this sector buffer ram was being
read that the data would be appearing on the S100 bus. Apparently not so.
So I switched gears. I shuffled cards around to make space and
connected the logic analyzer to the Z80 and set a trigger for I/O port
operations, triggering on the first IN from the port corresponding to
the sector buffer. Pay dirt. I quickly got the list of users and
passwords, and tried them and they worked.
After disconnecting the logic analyzer, I captured the contents of the
various EPROMs, then called it a night. Bitsavers and Fritz Chwolka
both have interesting web pages, so I won't attempt to duplicate any of
that, but I will be taking some pictures, posting the HEX files for the
EPROMS and making links to the other IMS 5000 resources on the web.
More information about the cctalk