IMS 5000 system password filed cracked

Jim Battle frustum at
Sun Apr 22 09:27:14 CDT 2007

I've had an IMS 5000 system for about a year; I got it off ebay for a 
song ($35), but as I didn't know any login name and corresponding 
password, it has been a brick.  I've thought of a couple ways to break 
the security, which isn't all that secure, but didn't due to lack of 
time.  Finally I made time last night.

The machine specifically is an IMS 5000 IS.  It is a very well built 
late model S-100 system, aimed at professional applications.  This one 
came from a dentists office.  The main unit contains a 12" CRT, an 
intelligent terminal control board (8085 based) which is connected via 
an internal serial port to a Z80 CPU card in the main S-100 chassis. 
This is a turbodos system, meaning it is a multiprocessing Z80 system. 
Serial ports on the back of the machine can connect to remote terminals; 
I have one other remote head, also made by IMS.

The machine has a 10MB Rodime hard drive, still working, a single DSDD 
floppy (although there is room for another), a master Z80 CPU, a 64KB 
parity checked DRAM card, and two MPUs.  An MPU is a card containing a 
slave Z80 processor with its own 64KB parity checked DRAM and serial 
ports, etc.

Although I have the docs showing the gross functionality, I have no 
schematics for any of this.

First I rebuilt disk images from Fritz Chwolka's webpage for the IMS 
5000, but for whatever reason I couldn't boot these disks.  IMS made 
more than one configuration of this machine, so it wasn't entirely 
unexpected.  Next I tried a hardware approach.

The hard disk controller has a 1KB SRAM buffer for holding an inbound or 
outbound sector.  Programmed IN/OUT transfers fill or drain the buffer, 
not DMA.  First I verified that the address lines on the RAM were wired 
in conventional order by seeing what pins they were wired to on the 
74LS193s forming the address counter.  The data pin order was more of a 
question, but I assumed since the address lines were connected in 
consecutive order, so the data pins would be too.  I hooked up a logic 
analyzer to the RAMs, booted the system, and waited for the password 
prompt.  I typed some gibberish and hit return, and the logic analyzer 
captured the writes to the RAM.  I realized the first read or maybe 
first few would be reading directory entries to find the USERID.SYS 
file, which is a plain text file containing the login names, passwords, 
cp/m user area, and privilege level.  However, no matter what I did, the 
data didn't make sense.

I thought perhaps I messed up the order of the data pins, so I buzzed 
out which chip drove the DOn (data out) S100 pins.  Again, I did the 
login thing, assuming that any time this sector buffer ram was being 
read that the data would be appearing on the S100 bus.  Apparently not so.

So I switched gears.  I shuffled cards around to make space and 
connected the logic analyzer to the Z80 and set a trigger for I/O port 
operations, triggering on the first IN from the port corresponding to 
the sector buffer.  Pay dirt.  I quickly got the list of users and 
passwords, and tried them and they worked.

After disconnecting the logic analyzer, I captured the contents of the 
various EPROMs, then called it a night.  Bitsavers and Fritz Chwolka 
both have interesting web pages, so I won't attempt to duplicate any of 
that, but I will be taking some pictures, posting the HEX files for the 
EPROMS and making links to the other IMS 5000 resources on the web.

More information about the cctalk mailing list