search

c0d3z3r0 / smcbmc

Tool for decrypting Supermicro BMC firmware images
GNU General Public License v2.0
26 stars 4 forks source link

"ValueError: seek out of range" when used on REDFISH_X10DGO_3.75.bin #1

Closed mithro closed 1 year ago

mithro commented 1 year ago

I was trying to use this tool on the REDFISH_X10DGO_3.75.bin binary provided as part of the REDFISH_X10DGO_375.zip package from https://www.supermicro.com/en/support/resources/downloadcenter/firmware/SYS-4028GR-TVRT/BMC

However, it errors out with the following;

python3 ./smcbmc/smcbmc.py REDFISH_X10DGO_3.75.bin REDFISH_X10DGO_3.75.decoded.bin
Traceback (most recent call last):
  File "/bmc/./smcbmc/smcbmc.py", line 104, in <module>
    decrypt_image(args.infile, args.outfile)
  File "/bmc/./smcbmc/smcbmc.py", line 92, in decrypt_image
    regions = extract_keys(mm)
  File "/bmc/./smcbmc/smcbmc.py", line 62, in extract_keys
    mi.seek(ct1_off - 4 * 16)
ValueError: seek out of range

65c777519248a378962fe3772581c0c0 REDFISH_X10DGO_3.75.bin

-rw-r----- 1 tim tim 33554432 Mar 15  2021 REDFISH_X10DGO_3.75.bin
-rw-r----- 1 tim tim 33554432 May  9 11:56 REDFISH_X10DGO_3.75.decoded.bin

I'm using Python 3.10.9 with pycrypto 2.6.1.

Any suggestion before I start digging in?

mithro commented 1 year ago

It looks like there might be no encryption here? https://github.com/devicenull/ipmi_firmware_tools/issues/7

c0d3z3r0 commented 1 year ago

Yep, looks like it. ipmi_firmware_tools support various X10D* boards and I would be surprised if X10DGO was different. They started to encrypt images starting with X11

mithro commented 1 year ago

Also getting a similar issue with https://www.supermicro.com/en/support/resources/downloadcenter/firmware/SSG-6049P-E1CR60L+/BMC

Which has a X11DSC+ motherboard and the ipmi_firmware_tools don't seem to work with.

c0d3z3r0 commented 1 year ago

Also getting a similar issue with https://www.supermicro.com/en/support/resources/downloadcenter/firmware/SSG-6049P-E1CR60L+/BMC

Which has a X11DSC+ motherboard and the ipmi_firmware_tools don't seem to work with.

The BMC image does not seem to be encrypted, even though it's X11*: image

Also, the output of read_header.py from ipmi_firmware_tools looks fine:

# ./read_header.py ../../../BMC_X11AST2500-9101MS_20221028_3.77.02_STDsp.bin 
Read 33554432 bytes

Firmware image: 1 Name: u-boot.bin Base: 0x0 Length: 0x3a378 CRC32: 0xcf999c04
Firmware image: 2 Name: pdb_seca.bin Base: 0x50000 Length: 0x10000 CRC32: 0xfdf442dc
Firmware image: 3 Name: pdb_isec.bin Base: 0x60000 Length: 0x10000 CRC32: 0xa04f0273
Firmware image: 4 Name: out_kernel.bin Base: 0x70000 Length: 0x207af0 CRC32: 0xd99350ae
Firmware image: 5 Name: out_rootfs_img.bin Base: 0x2c0000 Length: 0x1225000 CRC32: 0x944dc0f9
Firmware image: 6 Name: out_webfs_img.bin Base: 0x1512000 Length: 0x820020 CRC32: 0xabd690dc

Configuration info:

[flash]
total_size = 33554432

[global]
major_version = 0
minor_version = 0
footer_version = 3
type = aspeed

[images]
1 = present
2 = present
3 = present
4 = present
5 = present
6 = present

[image_1]
name = u-boot.bin
base_addr = 0x0
length = 0x3a378
checksum = 0xcf999c04

[image_2]
name = pdb_seca.bin
base_addr = 0x50000
length = 0x10000
checksum = 0xfdf442dc

[image_3]
name = pdb_isec.bin
base_addr = 0x60000
length = 0x10000
checksum = 0xa04f0273

[image_4]
name = out_kernel.bin
base_addr = 0x70000
length = 0x207af0
checksum = 0xd99350ae

[image_5]
name = out_rootfs_img.bin
base_addr = 0x2c0000
length = 0x1225000
checksum = 0x944dc0f9

[image_6]
name = out_webfs_img.bin
base_addr = 0x1512000
length = 0x820020
checksum = 0xabd690dc
mithro commented 1 year ago

Opps! Looks like I was giving it the bios rather than the BMC file!

Sorry about the noise.

mithro commented 1 year ago

It might be worth adding a better error message.