{"id":1227,"date":"2025-02-01T17:53:26","date_gmt":"2025-02-01T17:53:26","guid":{"rendered":"https:\/\/trouble.org\/?p=1227"},"modified":"2025-02-10T18:39:51","modified_gmt":"2025-02-10T18:39:51","slug":"remotely-access-supermicro-firmware","status":"publish","type":"post","link":"https:\/\/trouble.org\/?p=1227","title":{"rendered":"Remotely Access Live Supermicro Firmware+"},"content":{"rendered":"<p>TLDR; a vendor supported\/supplied utility allows download of live BMC<sup id=\"fnref:1\"><a href=\"#fn:1\" rel=\"footnote\">1<\/a><\/sup> firmware\/configuration on (at least) some SuperMicro BMCs. It&#8217;s hard to tell who might be affected, but the utility used was written by ATEN Technology, ASRock ASPEED, and others all seem to be connected in various ways in not only SuperMicro firmware but the rest of the BMC world, and it&#8217;s not clear to me what other vendors might have this feature (sic) as well (QEMU <a href=\"https:\/\/qemu.readthedocs.io\/en\/v9.2.0\/system\/arm\/aspeed.html\">lists many vendors<\/a> using Aspeed BMCs that potentially could have something similar.)<\/p>\n<p>I&#8217;ve only tested this on a couple of systems &#8211; a Supermicro X11SSZ-QF and a Supermicro X10-based virtual BMC (this <a href=\"https:\/\/www.supermicro.com\/support\/resources\/getfile.php?SoftwareItemID=3431\">firmware<\/a> was run under QEMU (release notes claim to support their X10DRU-I+, X10DRT-P, X10DRG-H, X10DRW-I, X10DRI-T4+, X10DDW-I, X10DRFR, X10DRI-T, X10DRFF, X10DRFR-T, X10DRD, X10DRD-L motherboards.)<\/b><\/i> That said, I&#8217;d say evidence strongly suggests this extends to other versions, as nearly identical strings<sup id=\"fnref:2\"><a href=\"#fn:2\" rel=\"footnote\">2<\/a><\/sup> are hardcoded in <tt>\/lib\/libipmi.so<\/tt> that show the <tt>dd<\/tt> command dumping firmware to the same location. This is at least true for Supermicro servers in their X10, X11, X12, and X13 families; it&#8217;s been around for some time and presumably still is. Feel free to send me intel on test results of other systems, and update as appropriate.<\/p>\n<p>The downloaded firmware includes the base OS, web pages\/programs, BMC configuration, most files, and the kernel. Yes, you can change the firmware remotely by any number of methods, but here an attacker can see exactly what is going on on the BMC. Compromising the BMC becomes much easier if you can observe what the exact system is doing. Consider: would you want a potential attacker to be able to see your server\/app configurations, password files, SSH keys, etcetera? It&#8217;s a dangerous thing, even if it&#8217;s not a bug but a feature. But hey, they didn&#8217;t ask me. <\/p>\n<p>I think it&#8217;s especially interesting because it&#8217;s not simply being able to get the firmware of a BMC server, but it does so via valid IPMI by leveraging the OEM commands (the specification details how vendors can extend the protocol to allow vendor-specific commands\/functionality<sup id=\"fnref:3\"><a href=\"#fn:3\" rel=\"footnote\">3<\/a><\/sup>.) In the past I&#8217;ve heard rumors of various features from BMC vendors, such as capturing and freezing RAM, generating SMIs, etc., but these are all hidden from public view&#8230; how much do you trust your server vendor?) Ironically I&#8217;d actually seen this utility many years ago, but could never get it to work, apparently because I didn&#8217;t have the right hardware.<\/p>\n<h4>Details<\/h4>\n<hr \/>\n<p>ATEN Technology has a freely downloadable tool &#8211; <tt>AlUpdate<\/tt><sup id=\"fnref:4\"><a href=\"#fn:4\" rel=\"footnote\">4<\/a><\/sup> that can do a variety of operations to a local or remote BMCs; here&#8217;s what I used in tests &#8211;<\/p>\n<div class=\"codecolorer-container bash blackboard\" style=\"overflow:auto;white-space:nowrap;\"><div class=\"bash codecolorer\"><span class=\"co4\">$ <\/span>.<span class=\"sy0\">\/<\/span>AlUpdate <span class=\"re5\">-h<\/span> 192.168.0.24 <span class=\"re5\">-u<\/span> ADMIN <span class=\"re5\">-p<\/span> ADMIN <span class=\"re5\">-i<\/span> lan <span class=\"re5\">-r<\/span> y <span class=\"re5\">-d<\/span> over-lan.img<\/div><\/div>\n<p>Under the hood (each item representing packet(s) sent\/received) it has 4 stages &#8211;<\/p>\n<ol>\n<li>authenticate to BMC and set communication parameters<\/li>\n<li>get ready to send<\/li>\n<li>send a I&#8217;m-ready-when-you-are-command<\/li>\n<li>let me have it!<\/li>\n<\/ol>\n<p>The first step is the setup request via a RMCP+ Open Session request via UDP on port 623, the standard IPMI port. I only mentioned it because while it could request any of a number encryption and data integrity algorithms, they instead shut off data integrity and confidentiality by using the 0x00 algorithms for both, meaning that all of this all sent in the clear with no protection.<\/p>\n<table class=\"darkt\" border=\"2\" cellpadding=\"3\">\n<tbody>\n<tr>\n<td>Authentication Algorithm<\/td>\n<td>RAKP-HMAC-SHA1<\/td>\n<\/tr>\n<tr>\n<td>Integrity Algorithm(s)<\/td>\n<td>None<\/td>\n<\/tr>\n<tr>\n<td>Confidentiality Algorithm(s)<\/td>\n<td>None<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>After the connection is established, the <tt>AlUpdate<\/tt> tool sends three OEM IPMI commands in sequence &#8211;<\/p>\n<ul>\n<li>0x1d<\/li>\n<li>0x1e<\/li>\n<li>0x1f<\/li>\n<\/ul>\n<p>The first command packet is sent and receives a command was successful response.<\/p>\n<table class=\"darkt\" border=\"2\" cellpadding=\"3\">\n<tbody>\n<tr>\n<th>direction<\/th>\n<th>NetFN<\/th>\n<th>IPMI command<\/th>\n<th>response code<\/th>\n<\/tr>\n<tr>\n<td>to BMC<\/td>\n<td>0x3e<\/td>\n<td>0x1d<\/td>\n<td>n\/a<\/td>\n<\/tr>\n<tr>\n<td>from BMC<\/td>\n<td>0x3e<\/td>\n<td>0x1d<\/td>\n<td>0x00<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The basic structure of each command is the same &#8211; here&#8217;s the full UDP payload of the first packet &#8211;<\/p>\n<pre>    06001200000000000000070020f8e88100<b class=\"red\">1d<\/b>62<\/pre>\n<p>Or in <tt>tshark<\/tt> format &#8211;<\/p>\n<pre class=\"code\">    \r\n        Version: 0x06\r\n        Reserved: 0x00\r\n        Sequence: 0xff\r\n        Type: Normal RMCP, Class: IPMI\r\n            ...0 0111 = Class: IPMI (0x07)\r\n            0... .... = Message Type: Normal RMCP (0x0)\r\n    IPMI v2.0+ Session Wrapper, session ID 0x360\r\n        Authentication Type: RMCP+ (0x06)\r\n        <b class=\"red\">Payload type: IPMI Message (0x00), not encrypted, not authenticated\r\n            0... .... = Encryption: Payload is unencrypted\r\n            .0.. .... = Authenticated: Payload is unauthenticated<\/b>\r\n            ..00 0000 = Payload Type: IPMI Message (0x00)\r\n        Session ID: 0x00000360\r\n        Session Sequence Number: 0x00000000\r\n        Message Length: 7\r\n    Intelligent Platform Management Bus\r\n        Target Address: 0x20\r\n        Target LUN: 0x00, NetFN: OEM Request (0x3e)\r\n            <b class=\"red\">NetFn: OEM Request (0x3e)<\/b>\r\n            .... ..00 = Target LUN: 0x0\r\n        Header Checksum: 0xe8 (correct)\r\n        Source Address: 0x81\r\n        Source LUN: 0x00, SeqNo: 0x00\r\n            .... ..00 = Source LUN: 0x0\r\n            0000 00.. = Sequence Number: 0x00\r\n        <b class=\"red\">Command: Unknown command (0x1d)<\/b>\r\n        Data checksum: 0x62 (correct)\r\n<\/pre>\n<p>Behind the scenes the BMC starts packing up the firmware on the BMC &#8211; if you&#8217;re on the BMC (perhaps more on that on a follow-up), running the <tt>ps<\/tt> command shows &#8211;<\/p>\n<div class=\"codecolorer-container bash blackboard\" style=\"overflow:auto;white-space:nowrap;\"><div class=\"bash codecolorer\">PID USER VSZ STAT COMMAND<br \/>\n<span class=\"br0\">&#91;<\/span>...<span class=\"br0\">&#93;<\/span><br \/>\n<span class=\"nu0\">1312<\/span> root <span class=\"nu0\">2784<\/span> S <span class=\"kw2\">sh<\/span> <span class=\"re5\">-c<\/span> <span class=\"sy0\">\/<\/span>bin<span class=\"sy0\">\/<\/span>restore_file.sh <span class=\"nu0\">0<\/span><br \/>\n<span class=\"nu0\">1313<\/span> root <span class=\"nu0\">2784<\/span> S <span class=\"br0\">&#123;<\/span>restore_file.sh<span class=\"br0\">&#125;<\/span> <span class=\"sy0\">\/<\/span>bin<span class=\"sy0\">\/<\/span><span class=\"kw2\">sh<\/span> <span class=\"sy0\">\/<\/span>bin<span class=\"sy0\">\/<\/span>restore_file.sh <span class=\"nu0\">0<\/span><br \/>\n<span class=\"nu0\">1345<\/span> root <span class=\"nu0\">3112<\/span> S <span class=\"kw2\">tar<\/span> <span class=\"re5\">-zcvf<\/span> <span class=\"sy0\">\/<\/span>tmp<span class=\"sy0\">\/<\/span>save_config.tar.gz .<span class=\"sy0\">\/<\/span>preserve_config<br \/>\n<span class=\"nu0\">1346<\/span> root <span class=\"nu0\">2920<\/span> R <span class=\"kw2\">gzip<\/span> <span class=\"re5\">-f<\/span><br \/>\n<span class=\"br0\">&#91;<\/span>...<span class=\"br0\">&#93;<\/span><\/div><\/div>\n<p>What is it doing? MTD is the Memory Technology Device subsystem and is used for storage backed by flash memory of various sorts (like NAND, NOR, etc); this shows the BMC extracting the firmware from its flash storage via <tt>dd<\/tt> to get ready to send.<\/p>\n<p>The &#8220;\/proc\/mtd&#8221; psuedo file shows some details on the various MTD devices, including mtd5:<\/p>\n<div class=\"codecolorer-container bash blackboard\" style=\"overflow:auto;white-space:nowrap;\"><div class=\"bash codecolorer\">$ <span class=\"kw2\">cat<\/span> <span class=\"sy0\">\/<\/span>proc<span class=\"sy0\">\/<\/span>mtd<br \/>\ndev: <span class=\"kw2\">size<\/span> erasesize name<br \/>\nmtd0: 00100000 00010000 <span class=\"st0\">&quot;bootloader&quot;<\/span><br \/>\nmtd1: 00300000 00010000 <span class=\"st0\">&quot;nvram&quot;<\/span><br \/>\nmtd2: 01000000 00010000 <span class=\"st0\">&quot;rootFS&quot;<\/span><br \/>\nmtd3: 00300000 00010000 <span class=\"st0\">&quot;kernel&quot;<\/span><br \/>\nmtd4: 00840000 00010000 <span class=\"st0\">&quot;webpage&quot;<\/span><br \/>\nmtd5: 01fc0000 00010000 <span class=\"st0\">&quot;all_part&quot;<\/span><br \/>\nmtd6: 00010000 00010000 <span class=\"st0\">&quot;uboot_env&quot;<\/span><\/div><\/div>\n<p>That &#8220;all_part&#8221; means basically the entire system &#8211; from it you can extract (via <tt>binwalk<\/tt> or whatever methods you&#8217;d like) the base OS, plus the web components, kernel, configuration details, etc. When the BMC boots up it mounts the root file system and then \/nv and \/web&#8230; here&#8217;s the kernel command line and the mount commands &#8211;<\/p>\n<pre class=\"code\">    console=ttyS1,115200 root=\/dev\/mtdblock2 rootfstype=cramfs noinitrd rw mem=79M\r\n<\/pre>\n<pre class=\"code\">    mount -t jffs2 \/dev\/mtdblock1 \/nv\r\n    mount -t cramfs \/dev\/mtdblock4 \/web\r\n<\/pre>\n<p>Every time a &#8220;0x1d&#8221; IPMI command is sent the &#8220;dd&#8221; is triggered again&#8230; (not in parallel, it kills off any previous)&#8230; and the lil&#8217; BMC really struggles during that time. (Makes me wonder if repeated hammering of the disk might cause problems&#8230;.)<\/p>\n<p>The BMC itself runs <tt>Linux version 2.6.28.9<\/tt> on a <tt>CPU: ARM926EJ-S<\/tt> &#8211;<\/p>\n<div class=\"codecolorer-container bash blackboard\" style=\"overflow:auto;white-space:nowrap;\"><div class=\"bash codecolorer\">$ <span class=\"kw2\">uname<\/span> <span class=\"re5\">-a<\/span><br \/>\nLinux <span class=\"br0\">&#40;<\/span>none<span class=\"br0\">&#41;<\/span> 2.6.28.9 <span class=\"co0\">#1 Mon Aug 10 14:12:03 CST 2015 armv5tejl GNU\/Linux<\/span><br \/>\n$ <span class=\"kw2\">cat<\/span> <span class=\"sy0\">\/<\/span>proc<span class=\"sy0\">\/<\/span>cpuinfo<br \/>\nProcessor : ARM926EJ-S <span class=\"kw2\">rev<\/span> <span class=\"nu0\">5<\/span> <span class=\"br0\">&#40;<\/span>v5l<span class=\"br0\">&#41;<\/span><br \/>\nBogoMIPS : <span class=\"nu0\">191.69<\/span><br \/>\nFeatures : swp half thumb fastmult edsp <span class=\"kw2\">java<\/span><br \/>\nCPU implementer : 0x41<br \/>\nCPU architecture: 5TEJ<br \/>\nCPU variant : 0x0<br \/>\nCPU part : 0x926<br \/>\nCPU revision : <span class=\"nu0\">5<\/span><br \/>\n<br \/>\nHardware : ASPEED-AST2300<br \/>\nRevision : 0000<br \/>\nSerial : 0000000000000000<\/div><\/div>\n<p>The &#8220;<tt>dd if=\/dev\/mtdblock5 of=\/tmp\/dump_flash<\/tt>&#8221; bit is hardcoded in <tt>\/lib\/libipmi.so<\/tt>, and is executed via the <tt>\/bin\/ipmi_lan<\/tt> persistent daemon, which listens to UDP port 623 (IPMI&#8217;s default listening port.)<\/p>\n<p><b class=\"red\">Next<\/b>, <tt>AlUpdate<\/tt> waits about 50 seconds to send the second packet (command 0x1e.) Until the firmware is completely saved to disk the BMC will respond with a successful command completion code plus a 0x00 data field. The tool continues to query every 4-5 seconds until the BMC sends a 0x01 in the data field followed by 0x200000 (0x0200000) &#8211; the latter corresponding exactly to the size of the BMC firmware (33,554,432 in base 10.)<\/p>\n<p>The request packet &#8211;<\/p>\n<pre class=\"code\">    0600760a000001000000070020f8e88100<b class=\"red\">1e<\/b>61\r\n<\/pre>\n<p>And the final response packet &#8211;<\/p>\n<pre class=\"code\">    06002923be84070000000f0081fc832000<b class=\"red\">1e0001020000000000<\/b>bf\r\n<\/pre>\n<p><b class=\"red\">After<\/b> seeing that response 0x1f IPMI commands are sent and repeated until the entire flash is sent over. This takes about XXX minutes in total. The request packets are the same old thing &#8211;<\/p>\n<pre class=\"code\">    0600760a000007000000070020f8e88100<b class=\"red\">1f<\/b>60\r\n<\/pre>\n<p>While the response packets cram in 57 bytes per UDP packet (55 data bytes after the command and the checksum is taken into account.)<\/p>\n<pre class=\"code\">    06002923be840d000000410081fc832000<b class=\"red\">1f0000ae17ee57504ba6a3a879a8dbb1b1d9c68a6252d1cb26de9049037a501fe781f78073c010e0c6fc32208e7abb00e8c03cb0e975f4bb0061dc<\/b>\r\n<\/pre>\n<p>The whole exchange takes about 800,000 packets back and forth. After a successful transfer or if nothing happens for about 10m after the initial mtd dump, the image file will be removed from \/tmp on the BMC.<\/p>\n<h4>Download BMC conf separately?<\/h4>\n<p>Oddly, using the <tt>-c<\/tt> flag to get just the configuration (e.g. <tt>.\/AlUpdate -c -d backup.bin -i kcs -r y<\/tt> as per the usage output didn&#8217;t work. Checking the packet flow and what&#8217;s going on the BMC it seems to start fine, but then something goes awry&#8230; perhaps someone else can let me know how it should work.<\/p>\n<h4>Quick Test<\/h4\n\n\n<hr \/>\n<p>You don&#8217;t strictly need the <tt>AlUpdate<\/tt> tool to test this&#8230; if you send a single authenticated packet via your IPMI tool o&#8217; choice, such as &#8211;<\/p>\n<pre class=\"code\">    ipmi-raw --driver-type=LAN_2_0 -h 10.0.0.1 -u ADMIN -p ADMIN 0 3e 1d<\/pre>\n<p>or <\/p>\n<pre class=\"code\">    ipmitool -U ADMIN -P ADMIN -H 10.0.0.1 raw 0x3e 0x1d<\/pre>\n<p>On susceptible systems it&#8217;ll start the dump to <tt>\/tmp\/<\/tt> on the BMC, and presumably throw an error (but who knows on various systems; other OEMs might use it for different purposes, since it&#8217;s up to them to define) if it doesn&#8217;t recognize the command.<\/p>\n<h4>Denouement<\/h4>\n<hr \/>\n<p>In the grand IPMI scheme of things, just another issue, I suppose; it&#8217;s already dangerous enough with all the other problems! Still, that someone could vacuum out such information from you BMCs seems at least casually alarming. Certainly if an adversary was able to do this it&#8217;s probably game over.<\/p>\n<p>Others might claim that if they had your credentials or admin access to your BMC it&#8217;s pretty much over anyway, since you can upload new firmware or change the configuration anyway.<\/p>\n<p>There is a substantial difference, however, between blindly overwriting existing data and being able to view and change existing data. And since the basic configuration and password of your BMCs is shared through multiple vendors, it means that even if your other BMCs aren&#8217;t Supermicro, such disclosure puts them at additional risk as well.<\/p>\n<p>And if an adversary was able to install a backdoor into existing firmware (as I did to gain shell access to my own BMC to determine what was going on behind the scenes) by examining the configuration details of your BMC, that&#8217;s substantially more difficult to detect than someone actually changing the BMC carte blanche. Even if you don&#8217;t detect backdoors or changes to BMC configuration (which can be quite tricky), one might well notice a change in firmware version.<\/p>\n<p>YMMV.<\/p>\n<p>Be well and be safe.<\/p>\n<\/div>\n<p><!-- footies\/notes --><\/p>\n<h4>Footnotes<\/h4>\n<div class=\"footnotes\">\n<hr \/>\n<ol>\n<li id=\"fn:1\"> The BMC is an embedded computer that has lived on the motherboard of Intel-based servers for the last 25+ years. It is responsible for out-of-band monitoring and management of servers via Intel&#8217;s IPMI protocol and goes under such rebranded names as iLO, iDRAC, etc. I&#8217;ve written <a href=\"http:\/\/fish2.com\/ipmi\">a fair bit<\/a> about such things, and there&#8217;s lots of additional information available online. <a style=\"text-decoration: none;\" href=\"#fnref:1\" rev=\"footnote\">\u25c0<\/a>\n<li id=\"fn:2\"> E.g. &#8211; in <a href=\"https:\/\/www.supermicro.com\/support\/resources\/getfile.php?SoftwareItemID=20582\">BMC_X13AST2600-ROT20-D301MS_20231005_01.01.20_STDsp.zip<\/a> you can see (unpacked with <tt>binwalk<\/tt> or other tools) &#8211;\n<pre>dd if=\/dev\/mtdblock4 of=\/tmp\/dump_flash^@\/tmp\/dump_flash^@SlaveTask:at_b_DumpFlashComplete = 0x%x\r\n<\/pre>\n<p>In <a href=\"https:\/\/www.supermicro.com\/support\/resources\/getfile.php?SoftwareItemID=19394\">BMC_X12AST2500-3201MS_20231006_01.03.03_STDsp.zip<\/a><br \/>\nit shows &#8211;<\/p>\n<pre class=\"code\">    dd if=\/dev\/mtdblock5 of=\/tmp\/dump_flash^@SlaveTask:at_b_DumpFlashComplete = 0x%x<\/pre>\n<p><a style=\"text-decoration: none;\" href=\"#fnref:2\" rev=\"footnote\">\u25c0<\/a>\n<\/li>\n<li id=\"fn:3\"> The IPMI spec has two different ways to specify OEM commands (FYI, OpenBMC has a <a href=\"https:\/\/github.com\/openbmc\/phosphor-host-ipmid\/blob\/master\/docs\/oem-extension-numbering.md\">nice writeup on all this<\/a>.) The first is by specifying an OEM NetFn code (from the IPMI spec 2.0, &#8220;Table 5-1, Network Function Codes&#8221;) &#8211;\n<p>0x2E\/0x2F &#8211; OEM\/Group OEM\/Non-IPMI group Requests and Response. The first three data bytes of requests and responses under this network function explicitly identify the OEM or non-IPMI group that specifies the command functionality. While the OEM or non-IPMI group defines the functional semantics for the cmd and remaining data fields, the cmd field is required to hold the same value in requests and responses for a given operation in order to be supported under the IPMI message handling and transport mechanisms. When this network function is used, the IANA Enterprise Number for the defining body occupies the first three data bytes in a request, and the first three data bytes following the completion code position in a response.<\/p>\n<p>Or 0x30-0x3F. This is for Controller-specific OEM\/Groups.Vendor specific (16 Network Functions [8 pairs]). The Manufacturer ID associated with the controller implementing the command identifies the vendor or group that specifies the command functionality. While the vendor defines the functional semantics for the cmd and data fields, the cmd field is required to hold the same value in requests and responses for a given operation in order for the messages to be supported under the IPMI message handling and transport mechanisms.<\/i><\/p>\n<p>The second is via the Bridge NetFn (0x02), which reserves commands in the range C0-FE for OEMs. <a style=\"text-decoration: none;\" href=\"#fnref:3\" rev=\"footnote\">\u25c0<\/a><\/p>\n<\/li>\n<li id=\"fn:4\"> I got mine via &#8211; https:\/\/download.asrock.com\/TSD\/socflash_linux.zip, under https:\/\/www.asrockrack.com\/support\/faq.asp?id=61.\n<p>The zip file has DOS, Windows, and Linux versions of the command. When executing it with no arguments it gives the usage &#8211;<\/p>\n<pre># .\/AlUpdate\r\n*****************************************************************************\r\n* ATEN Technology, Inc.                                                     *\r\n*****************************************************************************\r\n* FUNCTION   :  IPMI FIRMWARE UPDATE UTILITY                                *\r\n* VERSION    :  2.08                                                        *\r\n* BUILD DATE :  Oct  9 2018                                                 *\r\n* USAGE      :                                                              *\r\n*             (1)Update FIRMWARE : AlUpdate -f filename.bin [OPTION]        *\r\n*             (2)Dump FIRMWARE   : AlUpdate -d filename                     *\r\n*             (3)Restore CONFIG  : AlUpdate -c -f filename.bin              *\r\n*             (4)Backup CONFIG   : AlUpdate -c -d filename.bin              *\r\n*****************************************************************************\r\n* OPTION                                                                    *\r\n*   -i the IPMI channel, currently, kcs and lan are supported               *\r\n* LAN channel specific arguments                                            *\r\n*   -h remote BMC address and RMCP+ port, (default port is 623)             *\r\n*   -u IPMI user name                                                       *\r\n*   -p IPMI password correlated to IPMI user name                           *\r\n*   -r Preserve Configuration (default is Preserve)                         *\r\n*      n:No Preserve, reset to factory default settings                     *\r\n*      y:Preserve, keep all of the settings                                 *\r\n*   -c IPMI configuration backup\/restore                                    *\r\n*      -f [restore.bin] Restore configurations                              *\r\n*      -d [backup.bin] Backup configurations                                *\r\n*****************************************************************************\r\n* EXAMPLE                                                                   *\r\n*   we like to upgrade firmware through KCS channel                         *\r\n*   AlUpdate -f fwuperade.bin -i kcs -r y                                   *\r\n*   AlUpdate -d fwdump.bin -i kcs -r y                                      *\r\n*                                                                           *\r\n*   we like to restore\/backup IPMI config through KCS channel               *\r\n*   AlUpdate -c -f restore.bin -i kcs -r y                                  *\r\n*   AlUpdate -c -d backup.bin -i kcs -r y                                   *\r\n*                                                                           *\r\n*   we like to upgrade firmware through LAN channel with                    *\r\n*   - BMC IP address 10.11.12.13 port 623                                   *\r\n*   - IPMI username is usr                                                  *\r\n*   - Password for alice is pwd                                             *\r\n*   - Preserve Configuration                                                *\r\n*   AlUpdate -f fw.bin -i lan -h 10.11.12.13 623 -u usr -p pwd -r y         *\r\n*   AlUpdate -d fwdump.bin -i lan -h 10.11.12.13 623 -u usr -p pwd -r y     *\r\n*                                                                           *\r\n*   we like to restore\/backup IPMI config through LAN channel with          *\r\n*   - BMC IP address 10.11.12.13 port 623                                   *\r\n*   - IPMI username is usr                                                  *\r\n*   - Password for alice is pwd                                             *\r\n*   - Preserve Configuration                                                *\r\n*   AlUpdate -c -f fw.bin -i lan -h 10.11.12.13 623 -u usr -p pwd           *\r\n*   AlUpdate -c -d fwdump.bin -i lan -h 10.11.12.13 623 -u usr -p pwd       *\r\n*****************************************************************************\r\n<\/pre>\n<p><a style=\"text-decoration: none;\" href=\"#fnref:4\" rev=\"footnote\">\u25c0<\/a>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>TLDR; a vendor supported\/supplied utility allows download of live BMC1 firmware\/configuration on (at least) some SuperMicro BMCs. It&#8217;s hard to tell who might be affected, but the utility used was written by ATEN Technology, ASRock ASPEED, and others all seem to be connected in various ways in not only SuperMicro firmware but the rest of [&hellip;]<\/p>\n","protected":false},"author":44,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[154,116,4,6],"tags":[158,360,113,361,359],"class_list":["post-1227","post","type-post","status-publish","format-standard","hentry","category-ipmi-2","category-risk","category-security","category-tech","tag-bmc","tag-firmware","tag-ipmi","tag-remote","tag-supermicro"],"_links":{"self":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/1227","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1227"}],"version-history":[{"count":109,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/1227\/revisions"}],"predecessor-version":[{"id":1361,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/1227\/revisions\/1361"}],"wp:attachment":[{"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1227"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1227"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1227"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}