Looking for a bcm50 r3 memory dump thread1361-1742341 Zman37 (IS/IT--Management) (OP) 21 Dec 14 2:14 I have successfully reverse engineered the algorithm for the password of the day in the bcm50 r3, but I am missing a "shared sec", (If the bcm can't find it, it throws the error "shared sec not provisioned"), needed in the calculation. The algorithm basically works by taking the sha1 hash of "nnsupport" + the "shared sec" + the date rc4'd with a key + the system id. Then it takes the sha1 hash and uses the bytes from it to select numbers from an array which then make up the password of the day. The shared sec is stored somewhere in an "authdb", but I have been unable to find any files that resemble that, and I think I can locat the shared sec if I have a memory dump. I have a bcm50 on order but it won't be here for a few weeks, so I'm wondering if in the mean time anyone has a memory dump they could share. And of course, there would be passwords of the day for everyone! Thanks, Derek Cyberprog (TechnicalUser) 21 Dec 14 17:12 Very interesting. Yes, it's likely to be stored in a database somewhere, probably along with a load of other bits & bobs which could pose interesting if found. I've been playing round trying to change the system ID but haven't gotten anywhere! Where are you located Derek? I may be able to assist with getting you a BCM50 quicker if you wanted to play with. I have a number in my stock, including one that no longer exists (it's licenses were transferred to another system ID and I then managed to bring it back to life) if you would like one to play with. I'm in the UK (South West) FWIW. Alex Threlfall Cyberprog New Media http://www.cyberprog.net Telecoms, Networks , Hosting, Alarms, CCTV etc. Zman37 (IS/IT--Management) (OP) 21 Dec 14 20:57 David, I sent you an email. I located a "pdr" database last night, but I cannot figure out what format it is in. From browsing around in a hex editor, it seems to contain the configuration for the bcm and looks like it may have the data I'm looking for. I'm going to keep poking around and see what I can find . The system ID is stored somewhere in a "secure sector" on the BCM, which I believe is a secureflash chip. I haven't figured out if there is a way to change it on there yet, but an easy way to change would be to patch the function in the operating system that retrieves it (osGetSystemId in nn\lib\libosa.lib). Once I get my bcm, I'm going to get that one figured out. I'm located in the Washington in the U.S. so I'm pretty far away. I've also started looking into figuring out how the keycodes work. From what I've gathered, the bcm50 r3 uses an HMAC scheme with a symmetric key. (Here's the gist of how an hmac system works http://www.drdobbs.com/licensing-using-symmetric-a...). The symmetric key means that a license generator is possible without any modification to the bcm. The bcm50 r6 though uses an asymmetric key, which means that Nortel/Avaya holds a private key, and the bcm50 has the public key on it. To make a license generator, either someone would have to break into Avaya and steal the private key, or a new public/private key pair would have to be generated, and the public key on the bcm50 replaced. With the potd, that should be a fairly straightforward process, so in the near future we may have the ability to generate our own keycodes! Cyberprog (TechnicalUser) 22 Dec 14 11:14 There are ways into the file system of the BCM50 without using SSH BTW. I have telnet enabled on one of mine, as does David. It's reasonably easy to setup and remove the password of the day stuff - but that said, the POTD would be good to break as it would enable access to systems without the need to pluck the hard disk and modify files. There are far more R1 to R3 systems out there than R5 or R6, I have a dozen of systems and only one is R5. There were many changes in R6, licensing must be one of them! Shame you're in the USA, or I'd overnight you a BCM50 to play with! :) Alex Threlfall Cyberprog New Media http://www.cyberprog.net Telecoms, Networks, Hosting, Alarms, CCTV etc.