Hacked! The Ultrospec 1100 pro Admin Password

IMAG0883_part_half_size Case report: Got a used Ultrospec1100pro UV/Vis spectrophotometer. Of course, it came without logs and docs. It seems to be fully functional, as expected and as promised. But as usual, the Devil was hiding in the Details, despite finding the manual on the web was no problem:

To access the setup menu and to tweak options like if the (expensive, ~ 0.5USD per hour) deuterium lamp (which is required to record UV spectra between 200nm and 340nm. For longer wavelengths, a rather cheap halogen bulb is doing the job) should automatically be fired upon booting the instrument or not, one needs to enter the admin pass code which has some default value which is documented in the manual. Of course, it had been changed by the previous owner who I don’t know. Murphy’s Laws always apply.

So how to find it out? Four digits, no leading zeros accepted. 9000 possible combinations. 1000…9999. Trivial combinations like 1111, 2222, etc.? No success. Brute force attack? An optimistic estimate of keying in and keeping track of 4 combinations per minute calculates to 2250 minutes:  37.5 hrs to test the whole possible password space. After having tried the first 100 combinations, I decide to better do it the smart way!

IMAG0877_half_size_lowjpg40Let’s analyze the hardware (I’d have done it sooner or later anyway): One MCU: Hitachi H8/520. One EPROM: 27C2001. One 76C256-70 RAM, some 74xxx TTL chips for I/O and a 24C16 serial EEPROM. It’s the small socketed DIP8 chip above the middle flat cable in the left. This EEPROM is the only place where variable data like passwords, lamp hours, serial numbers and methods may be stored in order to survive a power-off. So let’s pull the EEPROM out and extract and analyze the data! The Minipro TL866 is my friend and yields me this short binary dump:

F7 21 18 F5 E1 01 F5 07 F9 1B 0D 01 E3 FC F6 09 FB 19 09 01 E9 FB F6 07 F8 1B 09 00 EA 00 F2 0A F8 19 0B 00 E8 03 EE 0A FA 1A 05 02 EB FF F1 0D F9 14 0A FD EF FC F5 0B FB 18 03 00 EC FD F7 09 FC 37 00 00 02 FF 0F AA 13 88 00 1E 01 2C 00 00 FF FF FF FF FF FF FF FF FF FF 06 5B FF FF FF FF 00 01 49 7C 20 FF 00 09 01 04 03 84 40 80 00 00 00 05 00 00 00 00 00 05 FF FF FF FF FF FF 00 00 00 16 76 EA 00 16 76 EA 00 15 13 26 FF FF FF FF FF FF FF FF th e. .s er ia l. .n um be r! FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 00 FF
(some more stuff here, apparently currently unused storage)

How to find the Admin password in this mess? Intelligent guessing! As mentioned above, the pass code may assume values between 1000 and 9999 decimal. That’s between 0x03E8 and 0x270F in hexadecimal. So what one needs to look for in first instance (if there is no encryption, encoding or whatever. If it was encoded digit by digit, one should see it here clearly, as e.g. dec 4110 would be represented by 04 01 01 00 and 9143 didn’t work) is a 4 digit hex number with the first digit being 0,1 or 2. The other 3 digits between 0 and F. A pretty big lot of candidate combinations, I have highlighted them in the code. There is some more data stored in the above snippet, like uptime of the machine and the lamps, in seconds, and the device’s serial number. Easy to find out: overwrite with 0x00 or 0xFF, write back to the EEPROM, put the EEPROM back into the machine and see what happens. Or convert the data from the display into hex and find them in the code above. So: It seems the variable data is in the 2nd and third 3rd 64byte segment. Less combinations to start with.

Candidates:
0x0FAA → 4010; 0x1388 → 5000; 0x1E01 → 7681; 0x20FF → 8447;
0x0901 → 2305; 0x0403 → 1027; 0x0500 → 1200; 0x05FF → 1535;

My guess was right and even the first code, highlighted in green was the right one.

To make a long story short: The pass code is stored as 4byte hexadecimal number at offset 71. To enter it into the keyboard, you need to convert it into decimal.

Technical requirements:

1) A screwdriver. Don’t loosen the four screws which hold the power supply in place! Only remove the 5 outer ones.  And read note [1].
2) A tool to remove the EEPROM from it’s socket. The screwdriver from 1) might do the job, if you’re careful.
3) A tool to read serial EEPROMs like the 24C16. E.g. The TL886 programmer.
4) A HEX editor (to analyze the binary data from the EEPROM)
5) A hexadecimal ↔ decimal converter. Maybe your scientific calculator can do it or find one on the internet. Or simply use your brain. Once you’ve got it, converting HEX into DEC and reverse is pretty simple.

Notes and Disclaimers:

Of course, you are performing any hack at your own risk. I can’t be held responsible for any damage that is happening because of you decided to do something or you were following these notes here. This is neither an instruction nor a SOP.  It is just a case report. It may work with other models or it may not. You have been warned.

By opening the machine, you’ll void the warranty (you’ll need to break a seal) and you might get into trouble with your boss. Better ask before you start. There is a chance/risk, that you’ll destroy the photometer when you’re messing around in it. Use electrostatic protection and label all connections before removing them.  Take notes and use your camera.

The photometer once opened, you may want to backup the EPROM, too.

[1] Note: Before removing the cover, turn off the instrument and disconnect the mains cable (obviously).  Then gently pull out the tray with the cuvette holder, before removing the 5 screws which are holding the cover in place. After the screws have been removed, carefully turn the photometer over again and carefully remove the cover. The keyboard/display unit is connected to the main board via flat ribbon cables which may easily be damaged and/or accidentally pulled out from their sockets.

Advertisements
This entry was posted in Lab Stuff, Science & Work, Ultrospec, Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s