I just bought a fibre channel HBA for $15 on a whim. This is (was) expensive equipment, and I joke that I have spent a significant portion of my career trying to kill the technology (see, e.g., iSCSI). Now that it’s cheap, I figured the least I could do was play with some equipment at home; and hopefully learn something.
Well, first I needed to connect it to something. Witness, a Brocade Silkworm 3200 switch (with 6 SFPs installed) that I bought for $9 (plus shipping).
But I still needed cables to connect the devices. At work they were throwing away fiber optics, and I also bought some for $1 each (free shipping!).
But now I had a problem. I suspect the reason for the multi-thousand-dollar switch selling for under $10 was that the passwords were lost. Oh dear. Apparently many of these switches have been junked because the person who knows the passwords leaves the company. Brocade does not provide any support for these bricks (why should they, when you can buy a new one from them?) and the password reset is unique for each switch.
No problem, find a serial cable, and… oh, the management port is also password protected. Never mind, vxWorks has a terrible password hash (only about 80k unique hashes), so I tried them all over telnet. No dice, but the python telnetlib is nice.
Brocade was nice enough to leave the boot loader program in only a slightly disabled state though. That meant that I was able to dump the firmware out over the serial port (several hours of pressing ‘d’ to get a 9600bps hexdump).
The passwords were listed in the dump! They weren’t vxWorks, they were MD5-crypt(), gah! So I embarked on a fruitless guessing spree, but the standard password guessers (including a 15GB dictionary and brute force) only found a single, disabled user password. Hmm.
Another tack. After uncompressing the OS code, I was able to compile an old GNU binutils for the Intel 80960 and disassemble the machine code. Using the ECOFF information gleaned from Brocade’s obsolete PasswordRecovery3.0.zip procedure, I was able to flip a bit in the firmware. Yay! Default passwords again, and zones removed.
Now I can find out what FC is all about. In the mean time, I’ve learned a bunch of useless, but very enjoyable, password workarounds.