This tiny tool can decrypt Supermicro BMC firmware images by first reading the
keys from libipmi.so inside the rootfs, then decrypting the headers of the
three regions rootfs, webfs and metadata.
Just provide the encrypted image as input and a filename for the decrypted image:
./smcbmc.py SMT_X11_xyz.bin decrypted.binThis is a very nice example of Security-by-Obscurity ...
They keys are hardcoded in libipmi.so, which contains the code to decrypt and
flash the image through the web interface or via IPMI. This library is inside
the root filesystems, a CRAMFS. The header of this filesystem was encrypted with
AES-CBC using these keys, to "protect" the firmware image. That means, the main
part of the filesystem is unencrypted and can be extracted to get the keys.
Yep. Just split the image with dd or the tool of your choice. Look at offset
0x01fc0000 for the metadata section containing the other offsets.
Yes, the BMC accepts unencrypted images, too.
Yes, you just have to adapt the offsets, sizes and CRC checksums in the metadata section. Use ipmi_firmware_tools for example.
Well, this is not a question. You should contact someone helping you to fix your (physical) security issues. This is not a "hacking tool" ...
No, I did not. You published the keys in the image.
Uhm, nope.
- Eclypsium Blog: INSECURE FIRMWARE UPDATES IN SERVER MANAGEMENT SYSTEMS
- RAPID7 Blog: Supermicro IPMI Firmware Vulnerabilities
- Supermicro: Cryptographic Signed BMC Firmware
- ipmi_firmware_tools
Copyright (C) 2020 Michael Niewöhner
This is open source software, licensed under GPLv2. Refer to the license header in each covered file. See LICENSE for the full license.