5364 S/36PC info, anyone? (long post)
Mike Ross
Between us, a Mr. Bankras and myself managed to dredge up the required
runes to 'hack' into a System/36 where the userid & password are
unknown. Here is the method: (I'm reposting this from Deja^h^h^hGoogle
as it seems to have not been picked up by my news server- PLEASE use
fixed-pitched font to display so as the tabulated data makes sense!)
I've got two 5364s myself, I've never managed to get either of them
going as I don't have a sufficiently slow front end - the slowest 486
I could find still gave memory errors on both systems during POST.
I've blagged an ancient genuine IBM AT from work, hopefully this will
work. If you get stuck on an error code or similar let me know - I've
got all the docs.
Mike
Rangers Catering Corps - 'We boil for the One, we fry for the One'
http://www.corestore.org
On Sun, 26 Nov 2000 10:20:18 +0100, "R.G. Bankras"
<r.g.b...@student.utwente.nl> wrote:
>Some time ago someone asked here about a security backdoor to get the
>master account password. I have an old 5362 with security officer
>accounts, but I don't have the master password. Can anyone help me out?
Radko,
I finally found something I mislaid two years ago, and promised to
post - the full instructions on breaking a lost password on S/36. I
don't have a functional 36 here just now, so I can't debug this or
offer advice beyond this verbatim transcript, but I do know it worked
for me once!
either
a)
Put 36 into service mode
Press MSP stop (for alter/display menus)
Option 1 - display main storage address 0A17
This is a three byte address of start of VTOC on disk.
Display this disk address (Option 2).
Scroll through VTOC until you find "F1 *.SECUID0
At displacement Hex 27 into this entry is the three byte address
of the start of thesecurity file data.
or
b)
Put 36 into service mode
Press MSP stop (for alter/display menus)
Option 1 - display main storage address 0A47
This is the three byte address of the start of thesecurity file
data. (Should be the same as found by method a) ).
The first sector displayed is a header. Scroll to the next sector,
this
contains the first two security entries - the first hex 7F bytes are
the first entry, the seconf hex 7F bytes are the second entry.
Scrollling to the next sector with give third and fourth entroes etc.
Write down the first sixteen bytes (address 0000 to 000F) of the top
line and split as below:
XX|XXXXXX XXXXXXXX XX|XXXX|XX XXXXXX|XX
| I.D. | | PASS |
The ID and password are as above, but encoded.
To obtain the ID, you must subtract, byte for byte, the following
constants: 32 0A B9 16 8C 59 7E A3
No carry to or from any adjoining byte is necessary. Where the value
to be subtracted from is less than the constant, add hex 100 then
subtract the constant, E.G. :
01 | 16 EC 7E EF 7D 99 BE E3 | 48 F6 | 0D DA CE E3 | C3
| 32 0A B9 16 8C 59 7E A3 | | |
byte 1: 16 but add 100 gives 116
32- 32-
-- --
E4- E4
byte 2: EC
0A-
--
E2
ETC ETC
doh! damn!
I've just realised that page two of this procedure, which deals with
the password, isn't in this folder. grrrrrrrrrrrr. If I can find it,
I'll post it. If anyone can confirm the constants and procedure for
the password, please let me know. I can't recall if it is a simple
subtraction, and there are some scribbled notes which seem to indicate
that the password constants are: AD 00 00 1E - but I may be very
wrong.
Well this is a start anyway!
Mike
Michael Ross wrote:
> I finally found something I mislaid two years ago, and promised to
> post - the full instructions on breaking a lost password on S/36.
Well, this morning I figured it all out ... :-)
Since my machine is a 5362 I don't have a MSP button to find the
starting sector of the #SECUID0 file. However, during previous
attempts I have been looking (staring) at this file. There are two
other methods to find the start of this file:
1. The table of contents can be found near the beginning of the
harddisk. Using PATCH F1 I found that sector 1965 is the lowest
accessable sector. Browsing through the next sectors the TOC is easily
recognized. Michael is absolutely right about: "you find 'F1
*.SECUID0'. At displacement hex 27 into this entry is the three byte
address of the start of the security file data." I found the address
01 09 B6.
2. Using the CATALOG procedure, it is possible to list the contents of
the harddisk, sorted on location. With this list I found two
libraries, with the system file #SECUID0 in between. A different
procedure (don't remember right now) can be used to list the
properties of the two libraries, including the starting sector
addresses. Again, PATCH F1 can be used to browse through the
sectors to look for the #SECUID0 file, which is easily recognized
(sector is completely filled with data).
Michael is also right about the constant 32 0A B9 16 8C 59 7E A3,
which has to be substracted from the username data. The position of
the username and password are also correct. After substraction, an
EBCDIC code table can be used to decode the username.
Well, finally the password. In fact, the password is encrypted using
two substractions: one based on the middle four characters of the 8
character password. The second substration is a constant value, but
not the one according to Michael. The constant I found is B9 16 8C 59.
So for example:
encrypted username: 06 CB 9B F9 51 32 BE E3
substraction: 32 0A B9 16 8C 59 7E A3
-----------------------
result: D4 C1 E2 E3 C5 D9 40 40
readable (EBCDIC): M A S T E R
use encrypted use decrypted
username: username:
encrypted password: 28 50 3B D4 28 50 3B D4
substr. part of username: 9B 56 CC 99 E2 E3 C5 D9
----------- -----------
result: 8D FA 6F 3B 46 6D 76 FB
substract constant: B9 16 8C 59 72 89 93 19
----------- -----------
result: D4 E4 E3 E2 D4 E4 E3 E2
readable (EBCDIC): M U T S M U T S
On 13 Mar 2001 00:11:40 GMT, supr...@aol.comAolsucks (Guy Noir -
private eye) wrote:
picked up a 5364 with a 3196 terminal last week along with the host
5150 pc.
both machines power on, and I can try to IPL the S36, but I get to a
logon
screen and am unable to continue past there no matter what I enter in
the
fields. Where can I gain more information on this machine? google.com
doesnt
really return any worthwhile info. a quick ref. guide or similar would
be
great. I know it probably isnt useful anymore, but would be fun to
play with
and would go alongside my PC RT nicely.
D.B. Young. Team OS/2!
-->this message printed on recycled disk space<--
hurry, hurry! step right up! see the computers you used as a kid!
www.nothingtodo.org
Delete the obvious (Aolsucks) to reply.