IMS 5000 system password filed cracked
Jerome H. Fine
jhfinedp3k at compsys.to
Sun Apr 22 18:48:49 CDT 2007
>Jim Battle wrote:
> I've had an IMS 5000 system for about a year; I got it off ebay for a
> song ($35), but as I didn't know any login name and corresponding
> password, it has been a brick. I've thought of a couple ways to break
> the security, which isn't all that secure, but didn't due to lack of
> time. Finally I made time last night.
> So I switched gears. I shuffled cards around to make space and
> connected the logic analyzer to the Z80 and set a trigger for I/O port
> operations, triggering on the first IN from the port corresponding to
> the sector buffer. Pay dirt. I quickly got the list of users and
> passwords, and tried them and they worked.
> After disconnecting the logic analyzer, I captured the contents of the
> various EPROMs, then called it a night. Bitsavers and Fritz Chwolka
> both have interesting web pages, so I won't attempt to duplicate any
> of that, but I will be taking some pictures, posting the HEX files for
> the EPROMS and making links to the other IMS 5000 resources on the web.
Jerome Fine replies:
Thank you for the information. It should be useful in
another context to provide a clue as to how to proceed.
For example, if a duplicate of the hard drive can be produced,
then running under an emulator might be similar to hooking up
a logic analyzer. This would be a software solution.
Of course, having a duplicate of the hard drive would usually
allow a user to run the same software and look at the various
files, such as the one which contains the userid / passwords.
On the other hand, I suspect that the actual clear text of
the userid / passwords should never have been stored in a
file in the first place. If that is what you described (based
on what you specified above), that was a VERY serious error
in the security of the system. Rather, an encrypted set of
values should have been stored with an algorithm which does
not allow a reverse of the values. Then when an actual
userid / password is entered, the algorithm produces the
encrypted values which are extremely difficult to produce
and compares the encrypted values against the file values.
Of course, that is not what you wanted, so you were able to
find a solution. It shows what debugging at the hardware
level can do when the right equipment is available. In
short, don't ever rely on encrypted files on a system which
also contains the code to decrypt the files or the private
passwords required for the algorithm.
If you attempted to send a reply and the original e-mail
address has been discontinued due a high volume of junk
e-mail, then the semi-permanent e-mail address can be
obtained by replacing the four characters preceding the
'at' with the four digits of the current year.
More information about the cctalk