22 Apr
2007
22 Apr
'07
4:48 p.m.
Jim Battle wrote:
I've had an IMS 5000 system for about a year; I
got it off ebay for a
song ($35), but as I didn't know any login name and corresponding
password, it has been a brick. I've thought of a couple ways to break
the security, which isn't all that secure, but didn't due to lack of
time. Finally I made time last night.
[Snip]
So I switched gears. I shuffled cards around to make space and
connected the logic analyzer to the Z80 and set a trigger for I/O port
operations, triggering on the first IN from the port corresponding to
the sector buffer. Pay dirt. I quickly got the list of users and
passwords, and tried them and they worked.
After disconnecting the logic analyzer, I captured the contents of the
various EPROMs, then called it a night. Bitsavers and Fritz Chwolka
both have interesting web pages, so I won't attempt to duplicate any
of that, but I will be taking some pictures, posting the HEX files for
the EPROMS and making links to the other IMS 5000 resources on the web.
Jerome Fine replies:
Thank you for the information. It should be useful in
another context to provide a clue as to how to proceed.
For example, if a duplicate of the hard drive can be produced,
then running under an emulator might be similar to hooking up
a logic analyzer. This would be a software solution.
Of course, having a duplicate of the hard drive would usually
allow a user to run the same software and look at the various
files, such as the one which contains the userid / passwords.
On the other hand, I suspect that the actual clear text of
the userid / passwords should never have been stored in a
file in the first place. If that is what you described (based
on what you specified above), that was a VERY serious error
in the security of the system. Rather, an encrypted set of
values should have been stored with an algorithm which does
not allow a reverse of the values. Then when an actual
userid / password is entered, the algorithm produces the
encrypted values which are extremely difficult to produce
and compares the encrypted values against the file values.
Of course, that is not what you wanted, so you were able to
find a solution. It shows what debugging at the hardware
level can do when the right equipment is available. In
short, don't ever rely on encrypted files on a system which
also contains the code to decrypt the files or the private
passwords required for the algorithm.
Sincerely yours,
Jerome Fine
--
If you attempted to send a reply and the original e-mail
address has been discontinued due a high volume of junk
e-mail, then the semi-permanent e-mail address can be
obtained by replacing the four characters preceding the
'at' with the four digits of the current year.