SPA password bypass for TI System V/68 using kdb

[johnsonjh]

Simple SPA password bypass procedure

The following documents the TI S1500 "simple SPA password bypass procedure" for TI System V/68 using kdb.

• RELATED: TI System V/68 kernel patching guide #15

Overview

• The "simple SPA password bypass procedure" allows booting TI System V/68 without a valid SPA password.
• Any desired quantity of licensed users may be specified.
• No modifications or patching of the installed software is required.

Prerequisites

• A valid and working SPA must be installed in the S1500 system.
• Access to the S1500 serial console port is necessary.
• A terminal or software terminal emulation capable of sending a line <break> is required.
• The proper bypass offsets (which are unique to a specific kernel) must be known or determined.

Caveats

• The procedure does not enable booting a system without an SPA installed.
• The procedure must be performed each time the system is restarted.
  • Automation is possible (e.g. scripting with Expect, C-Kermit, ASPECT, REXX, etc.)
• The procedure does not enable unlicensed use of layered software products.

Accessing kdb

• The serial console port should be accessed at 9600 baud, even parity, 7 data bits, 1 stop bit (E71).
  • Note this differs from GDOS operation which requires odd parity to be used!
• Send a line <break> via the console port; e.g. for C-Kermit, use "<Control-Backslash> <b>".
• Send the password when prompted as shown below; the password for all known versions is "kdb".

  Data Registers:
  0000002F 0000027B FFFFFFFF 00000080 00000001 00000000 00000000 000A60D6
  Addr Registers:
  0200E668 000BD25C 000A6048 000A607A 000B880C 000A5B90 00FFEFB0 07FFFE38
  SSP: 00FFEF84 MSP: 00FFFEB4 SR: 2504 PC: 00002D6C VOR: 23C
  
  Password:
  

• The kdb password must be sent within a short timeout period, once prompted.
• Be aware that sending a "triple <break>" restarts the system and invokes the ROM monitor; send CE to enable external caches, followed by BT (or TM) to continue the boot process.

Determining bypass offsets

• [ TODO: Add instructions to manually determine bypass offsets. ]
• A utility to automatically determines bypass offsets is under development.

Licensed user count

• For the kdb commands below, the value 200 represents the licensed user count (in hexadecimal representation); common values are 200 (512 users), 100 (256 users), 80 (128 users), 40 (64 users), 20 (32 users), and 10 (16 users).
• The values 0 (0 users), 1 (1 user), and 270f (9999 users) are reserved and cannot be used.
• Values greater than 200, through 7fffffff (2147483647 users) are not recommended for use; values beyond 7fffffff represent negative decimal values and are invalid.

Bypass offsets for well-known kernels

• The following are the correct kdb commands to send, with valid offsets, for several well-known configurations.

Preinstalled 3.3.2 JDIS (s1505_cp3540)

acc30/wffffffff
acc2c/w200
/g

Fresh install (2540590-0001J_sysVr3.2.2.1)

8c670/wffffffff
8c6bc/w200
/g

Fresh install (2540590-0001G_sysVr3.2.1)

• TBD

Example session

Loading configuration partition from slot 9 unit 00 partition default

Booting processor in slot C
Loading default partition from slot 9 unit 00

(c)Copyright 1993 Hewlett-Packard Company,  All Rights Reserved.
(c)Copyright 1986-1992 Texas Instruments Incorporated,  All Rights Reserved.
(c)Copyright 1984-1988 AT&T, All Rights Reserved.
(c)Copyright 1979, 1980, 1983, 1985-1990 The Regents of the Univ. of California
(c)Copyright 1980, 1984, 1986 Unix System Laboratories, Inc.
(c)Copyright 1990 Motorola, Inc.
(c)Copyright 1989-1990 The Santa Cruz Operation. All Rights Reserved.

                         RESTRICTED RIGHTS LEGEND
Use, duplication, or disclosure by the U.S. Government is subject to
restrictions as set forth in sub-paragraph (c)(1)(ii) of the Rights in
Technical Data and Computer Software clause in DFARS 252.227-7013.

                         Hewlett-Packard Company
                         3000 Hanover Street
                         Palo Alto, CA 94304 U.S.A.

Rights for non-DOD U.S. Government Departments and Agencies are as set
forth in FAR 52.227-19(c)(1,2).

Hewlett-Packard 9000 Series 1500
Node:    nodename   Machine: MC680X0
Release: V/68-1.0   Version: 3.3.2
mem = (16777216, 13266944)

Password verification failure!!
SPA ID # = 7777
Enter correct password:

...

Enter root password to enter single user mode
or Control-C to continue to default init level.
Password:

<BREAK>

Data Registers:
0000003F 00000341 FFFFFFFF 00000080 00000001 00000000 00000000 000A60D6
Addr Registers:
0200E668 000BD25C 000A6048 000A607A 000B880C 000A5B90 00FFEFB0 07FFFEB4
SSP: 00FFEF84 MSP: 00FFFEB4 SR: 2504 PC: 00002D6C VOR: 23C

Password: kdb

>acc30/wffffffff
>acc2c/w200
> /g

...

INIT: ENTERING NEW LEVEL