airbus-seclab / ilo4_toolbox Goto Github PK
View Code? Open in Web Editor NEWToolbox for HPE iLO4 & iLO5 analysis
License: GNU General Public License v2.0
Toolbox for HPE iLO4 & iLO5 analysis
License: GNU General Public License v2.0
Hello!
I got an error, when run compiled iloscan (with edited targets: one IP range).
Error message:
panic: runtime error: index out of range
goroutine 1 [running]:
main.main()
../iloscan.go:157 +0x2e5
So line 157 is "targets := []string{os.Args[1]}"
What it could be?
It looks like iLO_Chassis_Management_Firmware_158.bin
from https://support.hpe.com/hpsc/swd/public/detail?sp4ts.oid=5378292&swItemId=MTX_acee361e49bb406e9174f471c7&swEnvOid=4184#tab1 is close to iLO5 but ilo5_extract.py
fails to extract it.
$ python2.7 ilo5_extract.py ~/Desktop/iLO_Chassis_Management_Firmware_158.bin ~/Desktop/iLO_Chassis_Management_Firmware_158
[+] Extracting certificate 0
[+] Extracting certificate 1
[+] Extracting certificate 2
[+] iLO HPIMAGE header :
> img_magic : HPIMAGE
> version major : 0x1
> version minor : 0x1
> field_A : 0x00
> device id : ILO
0000 9d 7b 31 2f e3 c9 76 4d bf f6 b9 d0 d0 85 a9 52 .{1/..vM.......R
> field_1C : 0x1
> field_20 : 0x0
> field_24 : 0x0
> field_28 : 0x0
> field_2C : 0x0
> field_30 : 0x0
> field_34 : 0x0
> field_38 : 0x0
> field_3C : 0x10607e2
> version : 1.58
> name : iLO Chassis Manager
> gap
[+] iLO boot block footer:
> module : ��������������������������������
> fw_magic : 0xffffffff
> header_type : 0xffffffff
> field_28 : 0x-1
> type : 0x-1
> flags : 0xffffffff
> field_30 : 0xffffffff
> field_34 : 0xffffffff
> field_38 : 0xffffffff
> backward_crc_offset : 0xffffffff
> forward_crc_offset : 0xffffffff
> img_crc : 0xffffffff
> compressed_size : 0xffffffff
> decompressed_size : 0xffffffff
> field_50 : 0xffffffff
> field_54 : 0xffffffff
> crypto_params_index : 0xffff
> crypto_params_index 2 : 0xffff
> header_crc : 0xffffffff
> field_60 : 0xffffffff
> field_64 : 0xffffffff
> field_68 : 0xffffffff
> field_6C : 0xffffffff
> field_70 : 0xffffffff
> field_74 : 0xffffffff
> field_78 : 0xffffffff
> field_7C : 0xffffffff
> copyright : ��������������������������������������������������������������������������������������������������������������������������������
> signature
0000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
0010 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
0020 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
0030 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
0040 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
0050 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
0060 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
0070 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
0080 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
0090 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
00a0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
00b0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
00c0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
00d0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
00e0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
00f0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
0100 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
0110 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
0120 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
0130 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
0140 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
0150 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
0160 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
0170 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
0180 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
0190 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
01a0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
01b0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
01c0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
01d0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
01e0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
01f0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
> fw_magic_end : 0x354f4c69
[+] header crc ok: 0xe2b03c14
[x] failed to check header crc: 0xffffffff
Error when trying
./insert_backdoor.sh ilo4_240.bin
I have downloaded the firmware from here
[-] Error, bad file content at offset 1410
Traceback (most recent call last):
File "./ilo4_repack.py", line 18, in <module>
with open(sys.argv[3], "rb") as f:
IOError: [Errno 2] No such file or directory: 'outdir/elf.bin.patched'
Hello,
I have this value error when i'm launching :
python ilo5_fw_decrypt.py --infile ilo5_235.bin
Traceback (most recent call last): File "/home/kali/Desktop/ILO_TOOLBOX/ilo4_toolbox/scripts/iLO5/ilo5_fw_decrypt.py", line 82, in <module> rsa_pkey = load_private_key() File "/home/kali/Desktop/ILO_TOOLBOX/ilo4_toolbox/scripts/iLO5/ilo5_fw_decrypt.py", line 50, in load_private_key pkey = RSA.import_key(key_buffer, passphrase=pem_password_cb()) File "/usr/local/lib/python3.10/dist-packages/Crypto/PublicKey/RSA.py", line 736, in import_key return _import_keyDER(der, passphrase) File "/usr/local/lib/python3.10/dist-packages/Crypto/PublicKey/RSA.py", line 679, in _import_keyDER raise ValueError("RSA key format is not supported") ValueError: RSA key format is not supported
I have pycryptodome 3.6.5. I use the same rsa_private_key_ilo5.asc file. I don't know why this error appears ?
thanks for your help,
Best regards
Bonjour!
ilo4_toolbox/scripts/iLO4/exploits/exploit_check_flash.py does not work with firmware versions other than 2.50 because ilo4_toolbox/scripts/iLO4/exploits/exploit_offsets.py is missing their respective 'VComClientSync_Call' definitions.
I did try to simply copy 2.50's definition of 'VComClientSync_Call' for version 1.53 without success.
Cheers!
Hi,
In demo 2 you use a script exploit_get_users.py which dumps users with passwords from ILO.
I can't find this script in the repo, where is it ?
I want to use it on my DL380e Gen8 which had a dead NAND issue, so I got another motherboard but without the tag with the default ILO password. I want to use this exploit so I can know what is the default password.
Any other way to know what is the default ILO password for my server is welcome.
[+] Patch applied to outdir/bootloader.bin.patched
[+] Patch applied to outdir/kernel_main.bin.patched
Traceback (most recent call last):
File "./patch_webserver_250.py", line 29, in
handler_code = asm_sc(f.read())
File "./patch_webserver_250.py", line 11, in asm_sc
ks = Ks(KS_ARCH_ARM, KS_MODE_ARM)
NameError: global name 'Ks' is not defined
Traceback (most recent call last):
File "./ilo4_repack.py", line 18, in
with open(sys.argv[3], "rb") as f:
IOError: [Errno 2] No such file or directory: 'outdir/elf.bin.patched'
[+] Firmware ready to be flashed
I'm unable to flash the firmware created using insert_backdoor.sh.
My setup is iLO4 version 2.50 with an ubuntu linux Host OS.
insert_backdoor.sh correctly creates the backdoored firmware "ilo4_250.bin.backdoored.toflash"
The script finishes and says "Firmware ready to be flashed" however when attempting to flash the firmware using the iLO Web Gui it fails to flash the firmware.
I noticed in your demo gif when the insert_backdoor.sh script finishes it references a script "exploit_write_flash_page.py". I can't seem to find this script in the code you provide and my version of insert_backdoor.sh simply says "Firmware ready to be flashed" when it completes.
What is the correct method of flashing the backdoored firmware?
Thanks again for your help and for your awesome contribution to the community. Really great work.
Hi,
when decrypting firmware above ilo5 2.78, it gives an error:
[x] decrypt_and_verify failed? MAC tag is not valid,
Has anyone found a replacement for /rest/v1/AccountService/Accounts to use the Authentication Bypass Exploit on older iLO4 Versions (<2.00)?
backdoor_client.py requires linux_backdoor.S to inject the backdoor code to Linux side.
However, linux_backdoor.S is missing now, so please upload it for a good demo.
I'm not sure if the issue is already known or not, but it feels like HPE iLO 4 <= 2.60 always reveals the hardware serial number, the model name and the model description when accessing unauthenticated the url http://…/upnp/BasicDevice.xml
of HPE iLO. I did not find any way in the HPE iLO interface to disable this, specifically at "Insight Management Integration", the "Level of Data Returned" is set to "Disabled (No Response to Request)".
Completely obsfuscated example from a random HPE iLO4 with firmware 2.60 found on the Internet via port 80 (HTTP) and port 443 (HTTPS):
<root xmlns="urn:schemas-upnp-org:device-1-0">
<specVersion>
<major>1</major>
<minor>0</minor>
</specVersion>
<device>
<deviceType>urn:schemas-upnp-org:device:Basic:1</deviceType>
<friendlyName>ILOAB01234C5D</friendlyName>
<manufacturer>Hewlett Packard Enterprise</manufacturer>
<manufacturerURL>http://www.hpe.com/</manufacturerURL>
<modelDescription>iLO 4 in ProLiant DL360 Gen9</modelDescription>
<modelName>iLO 4 in ProLiant DL360 Gen9</modelName>
<modelNumber>2.60</modelNumber>
<modelURL>http://www.hpe.com/info/ilo</modelURL>
<serialNumber>AB01234C5D</serialNumber>
<UDN>uuid:5c745d4b-4316-44a0-be17-4499304f1b9e</UDN>
<iconList>
<icon>
<mimetype>image/x-icon</mimetype>
<width>48</width>
<height>48</height>
<depth>32</depth>
<url>/favicon.ico</url>
</icon>
</iconList>
<presentationURL>/</presentationURL>
</device>
</root>
While this might not be a huge information leak, it still makes the serial number accessible, which is enough to keep the HPE support busy and/or to continue with some social hacking/engineering methods.
Let me know in case the issue is not known to you and this should be followed up with HPE PSRT, but then I would like to ask you for assistance.
The dissection.rb
script does not work on ilo5_135.bin
. At that time it is unclear if it is a quirk of this version or a problem with the script itself. From the output below it looks like it is not able to locate the first module name and also the type, offset and size fields seem wrong:
ilo4_toolbox/scripts/iLO5$ ruby dissection.rb ilo5_135.bin_outdir/elf_main.bin
ruby: warning: shebang line ending with \r may cause problems
> extract from ilo5_135.bin_outdir/elf_main.bin
--
> - type 1946157056 - offset 0x00000000 - size 0x00000000 bytes
Traceback (most recent call last):
4: from dissection.rb:346:in `<main>'
3: from dissection.rb:324:in `extract_mods'
2: from dissection.rb:324:in `each'
1: from dissection.rb:335:in `block in extract_mods'
dissection.rb:335:in `join': no implicit conversion of nil into String (TypeError)
A working case with another firmware version e.g. on ilo5_130.bin
is:
ilo4_toolbox/scripts/iLO5$ ruby dissection.rb ilo5_130.bin_outdir/elf_main.bin
ruby: warning: shebang line ending with \r may cause problems
> extract from ilo5_130.bin_outdir/elf_main.bin
--
> .dvrspi.elf.RO - type PROGBITS - offset 0x00007574 - size 0x00003f58 bytes
> .dvrspi.elf.RW - type PROGBITS - offset 0x0000b4cc - size 0x00000694 bytes
> .libINTEGRITY.so.RO - type PROGBITS - offset 0x0000bb60 - size 0x000048c0 bytes
> .libINTEGRITY.so.RW - type PROGBITS - offset 0x00010420 - size 0x00000018 bytes
> .libc.so.RW - type PROGBITS - offset 0x00010438 - size 0x000009c0 bytes
> .VComCShared_RM.so.RW - type PROGBITS - offset 0x00010df8 - size 0x00000070 bytes
> .dvrgpio.elf.RW - type PROGBITS - offset 0x00010e68 - size 0x0000109c bytes
> .libc.so.RO - type PROGBITS - offset 0x00011f04 - size 0x00035ff8 bytes
> .VComCShared_RM.so.RO - type PROGBITS - offset 0x00047efc - size 0x00008a90 bytes
> .dvrgpio.elf.RO - type PROGBITS - offset 0x0005098c - size 0x00008738 bytes
...
I am not sure if it is a problem similar to #8
Tested with the latest version: a3e4b31
The dissection.rb script
does not work on ilo4_101.bin
. At that time it is unclear if it is a quirk of this version or a problem with the script itself. From the output below it looks like it is not able to locate the right number of entries for task 0x10, 0x11 and 0x12:
ilo4_toolbox/scripts/iLO4$ ruby dissection.rb ilo4_101.bin_outdir/elf.bin
ruby: warning: shebang line ending with \r may cause problems
> extract from ilo4_101.bin_outdir/elf.bin
--
[..].
> task 0x0f (C:\ilo4\r101\secmgr\bin\secmgr.elf) - 0x00000039 entries
range: dw1 0x00 - dw2 0x007 - base 0x00001000 - size 0x0000F000 - id 0xffffffff
range: dw1 0x01 - dw2 0x005 - base 0x00010000 - size 0x00066000 - id 0x00000122 - .blackbox.elf.text
range: dw1 0x00 - dw2 0x007 - base 0x00076000 - size 0x00002000 - id 0xffffffff
range: dw1 0x01 - dw2 0x007 - base 0x00078000 - size 0x000D7000 - id 0x00000123 - .blackbox.elf.data
range: dw1 0x01 - dw2 0x007 - base 0x00150000 - size 0x00004000 - id 0x00000129 - .blackbox.Initial.stack
range: dw1 0x01 - dw2 0x007 - base 0x00154000 - size 0x000B4000 - id 0x0000012a - .blackbox.heap
range: dw1 0x00 - dw2 0x007 - base 0x00208000 - size 0x00010000 - id 0xffffffff
range: dw1 0x00 - dw2 0x107 - base 0x00218000 - size 0x00008000 - id 0xffffffff
range: dw1 0x00 - dw2 0x107 - base 0x00220000 - size 0x00004000 - id 0xffffffff
range: dw1 0x00 - dw2 0x007 - base 0x00224000 - size 0x003DC000 - id 0xffffffff
range: dw1 0x00 - dw2 0x007 - base 0x00600000 - size 0x01000000 - id 0xffffffff
range: dw1 0x00 - dw2 0x007 - base 0x01600000 - size 0x00180000 - id 0xffffffff
range: dw1 0x01 - dw2 0x005 - base 0x01780000 - size 0x0002E000 - id 0x00000022 - .libc.so.text
range: dw1 0x00 - dw2 0x007 - base 0x017ae000 - size 0x00002000 - id 0xffffffff
range: dw1 0x01 - dw2 0x007 - base 0x017b0000 - size 0x00001000 - id 0x00000125 - .libc.so.data
range: dw1 0x00 - dw2 0x007 - base 0x017b1000 - size 0x00003000 - id 0xffffffff
range: dw1 0x01 - dw2 0x007 - base 0x017b4000 - size 0x00001000 - id 0x00000126 - .libc.so.bss
range: dw1 0x00 - dw2 0x007 - base 0x017b5000 - size 0x0002B000 - id 0xffffffff
range: dw1 0x01 - dw2 0x005 - base 0x017e0000 - size 0x00007000 - id 0x00000020 - .libINTEGRITY.so.text
range: dw1 0x00 - dw2 0x007 - base 0x017e7000 - size 0x00001000 - id 0xffffffff
range: dw1 0x01 - dw2 0x007 - base 0x017e8000 - size 0x00001000 - id 0x00000124 - .libINTEGRITY.so.data
range: dw1 0x00 - dw2 0x007 - base 0x017e9000 - size 0x00417000 - id 0xffffffff
range: dw1 0x01 - dw2 0x005 - base 0x01c00000 - size 0x0003B000 - id 0x00000025 - .libevlog.so.text
range: dw1 0x00 - dw2 0x007 - base 0x01c3b000 - size 0x00001000 - id 0xffffffff
range: dw1 0x01 - dw2 0x007 - base 0x01c3c000 - size 0x00002000 - id 0x00000127 - .libevlog.so.data
range: dw1 0x00 - dw2 0x007 - base 0x01c3e000 - size 0x00002000 - id 0xffffffff
range: dw1 0x01 - dw2 0x007 - base 0x01c40000 - size 0x00008000 - id 0x00000128 - .libevlog.so.data
range: dw1 0x00 - dw2 0x007 - base 0x01c48000 - size 0x002B8000 - id 0xffffffff
range: dw1 0x00 - dw2 0x007 - base 0x01f00000 - size 0x00001000 - id 0xffffffff
range: dw1 0x00 - dw2 0x007 - base 0x01f01000 - size 0x00001000 - id 0xffffffff
range: dw1 0x00 - dw2 0x007 - base 0x01f02000 - size 0x00001000 - id 0xffffffff
range: dw1 0x00 - dw2 0x007 - base 0x01f03000 - size 0x00001000 - id 0xffffffff
range: dw1 0x00 - dw2 0x007 - base 0x01f04000 - size 0x00001000 - id 0xffffffff
range: dw1 0x00 - dw2 0x007 - base 0x01f05000 - size 0x00001000 - id 0xffffffff
range: dw1 0x00 - dw2 0x007 - base 0x01f06000 - size 0x00001000 - id 0xffffffff
range: dw1 0x00 - dw2 0x007 - base 0x01f07000 - size 0x00001000 - id 0xffffffff
range: dw1 0x00 - dw2 0x007 - base 0x01f08000 - size 0x00001000 - id 0xffffffff
range: dw1 0x00 - dw2 0x007 - base 0x01f09000 - size 0x00001000 - id 0xffffffff
range: dw1 0x00 - dw2 0x007 - base 0x01f0a000 - size 0x00001000 - id 0xffffffff
range: dw1 0x00 - dw2 0x007 - base 0x01f0b000 - size 0x00001000 - id 0xffffffff
range: dw1 0x00 - dw2 0x007 - base 0x01f0c000 - size 0x00001000 - id 0xffffffff
range: dw1 0x00 - dw2 0x007 - base 0x01f0d000 - size 0x00001000 - id 0xffffffff
range: dw1 0x00 - dw2 0x007 - base 0x01f0e000 - size 0x00001000 - id 0xffffffff
range: dw1 0x00 - dw2 0x007 - base 0x01f0f000 - size 0x00001000 - id 0xffffffff
range: dw1 0x00 - dw2 0x007 - base 0x01f10000 - size 0x00001000 - id 0xffffffff
range: dw1 0x00 - dw2 0x007 - base 0x01f11000 - size 0x00001000 - id 0xffffffff
range: dw1 0x00 - dw2 0x007 - base 0x01f12000 - size 0x00001000 - id 0xffffffff
range: dw1 0x00 - dw2 0x007 - base 0x01f13000 - size 0x00001000 - id 0xffffffff
range: dw1 0x00 - dw2 0x007 - base 0x01f14000 - size 0x00001000 - id 0xffffffff
range: dw1 0x00 - dw2 0x007 - base 0x01f15000 - size 0x00001000 - id 0xffffffff
range: dw1 0x00 - dw2 0x007 - base 0x01f16000 - size 0x00001000 - id 0xffffffff
range: dw1 0x00 - dw2 0x007 - base 0x01f17000 - size 0x00004000 - id 0xffffffff
range: dw1 0x00 - dw2 0x007 - base 0x01f1b000 - size 0x00001000 - id 0xffffffff
range: dw1 0x00 - dw2 0x007 - base 0x01f1c000 - size 0x00001000 - id 0xffffffff
range: dw1 0x00 - dw2 0x007 - base 0x01f1d000 - size 0x00001000 - id 0xffffffff
range: dw1 0x00 - dw2 0x007 - base 0x01f1e000 - size 0x00001000 - id 0xffffffff
range: dw1 0x00 - dw2 0x007 - base 0x01f1f000 - size 0x000E1000 - id 0xffffffff
> task 0x10 (C:\ilo4\r101\pwrmgr\bin\pwrmgr.elf) - 0x00000000 entries
> task 0x11 (C:\ilo4\r101\webserv\bin\webserv.elf) - 0x00000000 entries
> task 0x12 (C:\ilo4\r101\ribcl\bin\ribcl.elf) - 0x02a4d869 entries
Traceback (most recent call last):
19: from dissection.rb:355:in `<main>'
18: from dissection.rb:255:in `list_boottable'
17: from (eval):1:in `times'
16: from (eval):1:in `times'
15: from dissection.rb:263:in `block in list_boottable'
14: from (eval):1:in `times'
13: from (eval):1:in `times'
12: from dissection.rb:264:in `block (2 levels) in list_boottable'
11: from /var/lib/gems/2.5.0/gems/bindata-2.4.3/lib/bindata/base.rb:21:in `read'
10: from /var/lib/gems/2.5.0/gems/bindata-2.4.3/lib/bindata/base.rb:145:in `read'
9: from /var/lib/gems/2.5.0/gems/bindata-2.4.3/lib/bindata/base.rb:254:in `start_read'
8: from /var/lib/gems/2.5.0/gems/bindata-2.4.3/lib/bindata/base.rb:147:in `block in read'
7: from /var/lib/gems/2.5.0/gems/bindata-2.4.3/lib/bindata/struct.rb:139:in `do_read'
6: from /var/lib/gems/2.5.0/gems/bindata-2.4.3/lib/bindata/struct.rb:139:in `each'
5: from /var/lib/gems/2.5.0/gems/bindata-2.4.3/lib/bindata/struct.rb:139:in `block in do_read'
4: from /var/lib/gems/2.5.0/gems/bindata-2.4.3/lib/bindata/base_primitive.rb:129:in `do_read'
3: from (eval):23:in `read_and_return_value'
2: from /var/lib/gems/2.5.0/gems/bindata-2.4.3/lib/bindata/io.rb:276:in `readbytes'
1: from /var/lib/gems/2.5.0/gems/bindata-2.4.3/lib/bindata/io.rb:312:in `read'
/var/lib/gems/2.5.0/gems/bindata-2.4.3/lib/bindata/io.rb:162:in `read_raw': undefined method `read' for nil:NilClass (NoMethodError)
hi,
insert_backdoor.sh did not work properly so I patched bootloader and kernel manually with hex editor,
then I changed patch_webserver.py like this:
commenting capestone related code in program because it generated errors.
def disasm_sc(sc):
cs = Cs(CS_ARCH_ARM, CS_MODE_ARM)
for i in cs.disasm(sc, 0):
print("0x%x:\t%s\t%s" %(i.address, i.mnemonic, i.op_str))
after that I manually applied some changes to elf.bin from "outdir folder" like change value from offset 0x188B18 to "D43C1A00"
with hex editor.
but when I wanted to upload ilo4_250.bin(ilo4_250.bin.backdoored.toflash) from iLO web interface it contained some errors so firmware update process could not complete successfully.
https://github.com/airbus-seclab/ilo4_toolbox/blob/master/scripts/iLO4/exploits/exploit_check_flash.py ends with iLO4 2.55 while 2.60 was already released in May 2018.
I'd like to extend the functionality. How did you come up with the offsets in hp_ilo_4_250.h for libc.so?
/* libc.so */ static void *(*malloc)(size_t size) = (const void *)0x017B85E8;
etc...
Hi,
I try to traverse the physical memory through DMA. When I read an address above 3G (possibly an MMIO address), iLO will crash and restart.
Reading addresses that exceed the upper limit of physical memory can cause the same problem.
It can be determined that the CopyFromMemoryRegion function caused the crash after writing the address to the register.
iLO version is iLO4 - 250, hardware is HP Microserver Gen 8, and I tried both the web & ssh exploit.
My question is:
I tried to reverse the CHIF task, but couldn't find the answer.
Is it possible to make a fan speed mod for the ILO? In the elf.bin there is a Thermal.json file that I think could be modified to allow the temperature thresholds to be modified.
After a number of custom firmware flashes, I now have an unresponsive iLO. Web does not work, SSH does not work, iLO is not visible during boot, and HP's Linux-based flasher also does not work.
Is there another way (short of a SPI programmer) to recover from a bad update? A backup ROM, perhaps?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.