Announcement

**stj** · 03-14-2023, 04:12 PM

Re: Resetting old Repotec/Eusso switch without RST button or admin access

did you try the usual stuff like "admin"?
is the other side of the board empty?

**petehall347** · 03-14-2023, 04:26 PM

Re: Resetting old Repotec/Eusso switch without RST button or admin access

try admin admin ..
guest guest .
blank admin .

**mik13ST** · 03-14-2023, 05:17 PM

Re: Resetting old Repotec/Eusso switch without RST button or admin access

I have tried these right now and failed:

admin admin
admin 123, 1234, ... 123456789
guest guest
guest 123, 1234, ... 123456789
blank blank
blank 123, 1234, ... 123456789
root root
root 123, 1234, ... 123456789

is the other side of the board empty?

Haven't thought about that for some reason.
The bottom reveals:

24A08, 1KB I2C EEPROM:
SP232ACT, RS232 driver:
47LVC373AD, Octal D latch
IS61LV256 32K x 8 Static RAM:
The funny vias lead to traces on the bottom side, but don't lead anywhere on the top so the board must be more than 2 layers, interesting.

The discovery of a little SOP8 EEPROM is good news. So the config is stored in this? 1KB seems like enough, the username and password needs about 20B (ASCII char encoded to 1 byte, 10 characters, twice). How certain can I be this contains the config and that wiping it will not break the switch? Will the credentials return to defaults (probably "admin admin") when I write zeros to the EEPROM?

Attached Files

**stj** · 03-14-2023, 06:14 PM

Re: Resetting old Repotec/Eusso switch without RST button or admin access

dont wipe the eeprom, it probably also contains factory data like serial number or model.
read it and look with a hex editor - you may see plaintext

**petehall347** · 03-14-2023, 07:01 PM

Re: Resetting old Repotec/Eusso switch without RST button or admin access

you forgot blank admin

**mik13ST** · 03-15-2023, 02:59 AM

Re: Resetting old Repotec/Eusso switch without RST button or admin access

read it and look with a hex editor - you may see plaintext

Alright, will try.

you forgot blank admin

I did, sorry. Adding to the list:
blank admin
blank guest
blank root

Thank you so far.

**mik13ST** · 03-15-2023, 08:42 AM

Re: Resetting old Repotec/Eusso switch without RST button or admin access

So I desoldered the EEPROM using a heatgun and I am trying to read it using Arduino UNO according to a video guide, but I chose to pull the write protection (WP) pin high to avoid overwriting any data inside it. I based my code on the one in this guide: https://www.instructables.com/Readin...-Using-/#step5.

This was my initial Arduino code (similar to C):

Code:

#include <Wire.h>

#define EEPROM1 0b1010000 //defines the base address of the EEPROM

void setup() {
 Wire.begin(); //creates a Wire object
 Serial.begin(9600);
 Serial.println();

 unsigned int address = 0; //first address of the EEPROM
 for (address = 0; address < 1024; address++) {
  byte d = read(address);
  Serial.print(d, HEX);
  Serial.print(" ");
 }
 Serial.println();
}

void loop() {}

byte read(unsigned int address) {
 byte data = 0xFF;
 Wire.beginTransmission(EEPROM1);
 Wire.write((int)(address >> 8));   //writes the MSB
 Wire.write((int)(address & 0xFF));  //writes the LSB
 Wire.endTransmission();
 Wire.requestFrom(EEPROM1, 1);
 if (Wire.available())
  data = Wire.read();
 return data;
}

Which gave me output like this:

Code:

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D 6D

Odd, it's not much data and the bytes are repeated many times. Actually, exactly 255 times.
I chose to read first 1024 bytes because that's the capacity of the memory, right? 24A08 means 8Kbit means 1KByte means 1024 bytes but this data is not useful. I have never worked with EEPROM ICs, is this normal?

So I tried jumping by 255 blocks, increased the end address to some large number and converted the bytes to ASCII chars in code:

Code:

#include <Wire.h>

#define EEPROM1 0b1010000 //defines the base address of the EEPROM

void setup() {
 Wire.begin(); //creates a Wire object
 Serial.begin(9600);
 Serial.println();

 unsigned int address = 0; //first address of the EEPROM
 for (address = 0; address < 65535; address+=255) {
  byte d = read(address);
  Serial.print(char(d));
 }
 Serial.println();
}

void loop() {}

byte read(unsigned int address) {
 byte data = 0xFF;
 Wire.beginTransmission(EEPROM1);
 Wire.write((int)(address >> 8));   //writes the MSB
 Wire.write((int)(address & 0xFF));  //writes the LSB
 Wire.endTransmission();
 Wire.requestFrom(EEPROM1, 1);
 if (Wire.available())
  data = Wire.read();
 return data;
}

Since the EEPROM acts as 4 2K memories with different I2C addresses, I read all of them by changing the EEPROM1 constant to 0b1010001, ...10 and ...11.
The output:

And there seems to be the password, or pieces of it. If anything, it's going to be much easier to brute force the password now.
Also, there seems to be some names of the "islands" configured. It's in my native language and suggests a school environment.
I cannot copy the text, because the unprintable characters are cutting the pasted text early or something.

I think I can make it on my own now so thanks to everyone involved.

Any ideas why I have to skip over 255 bytes all the time? Why I have to reach the limit of Arduino two byte unsigned integer (65535) to read everything?

EDIT: Is it possible the EEPROM is getting corrupted? "gri?der?j? ??n" doesn't seem like a password to me. I have read that EEPROMs hold data for about 10 years at room temperature, less at elevated temperature. This device is almost 20 years old and it was running at possibly elevated temperatures as a rack switch with fans, heatsinks and 10 W power usage.

Attached Files

**stj** · 03-15-2023, 11:21 AM

Re: Resetting old Repotec/Eusso switch without RST button or admin access

if you look at the hex, the 8th bit may be set stopping it being displayed.
"grinder"?

**mik13ST** · 03-15-2023, 11:50 AM

Re: Resetting old Repotec/Eusso switch without RST button or admin access

This is how it looks like in decimal+decoded character:

Code:

0 0 97a 100d 109m 105i 110n 0 0 0 0 0 0 103g 114r 105i 1? 100d 101e 114r 0 0 0 0 2? 106j 24? 127<space> 0 4? 0 4? 110n

Here it is in hex only:

Code:

0 0 61 64 6D 69 6E 0 0 0 0 0 0 67 72 69 1 64 65 72 0 0 0 0 2 6A 18 7F 0 4 0 4 6E

The character is 1 in decimal so that's definitely invalid and untypable on the keyboard. I'd say that's the reason the original owner got rid of it, they couldn't get inside it anymore.

Clearly, the password ends before the "j" and "n", since it's limited to 10 characters and that's set to zeros.

At this point I'd want to write to the EEPROM and make it "grinder", but I am unsure about the weird addressing thing. I could write just a single byte and see if all 255 bytes change. If not, I could set all 255 bytes to "n". Any chance this has a CRC somewhere? I doubt it because it should be failing by now.

**mik13ST** · 03-15-2023, 01:34 PM

Re: Resetting old Repotec/Eusso switch without RST button or admin access

Just found out why I was getting the byte repeated 255 times. It's because this EEPROM uses only one byte for the address, specifically the first one you send, which was the MSB. So it read the same address until LSB counted to 255, then moved to the next one.

Incrementing by 1 now works fine. Since it's basically 4 2Kbit memories each addressed individually, the stop address should be 256 which indeed reads all the data.

This is the updated code:

Code:

#include <Wire.h>

#define EEPROM1 0b1010000 //defines the base address of the EEPROM

void setup() {
 Wire.begin(); //creates a Wire object
 Serial.begin(9600);
 Serial.println();

 unsigned int address = 0; //first address of the EEPROM
 for (address = 0; address < 256; address+=1) {
  byte d = read(address);
  Serial.print(char(d));
 }
 Serial.println();
}

void loop() {}

byte read(unsigned int address) {
 byte data = 0xFF;
 Wire.beginTransmission(EEPROM1);
 Wire.write((int)(address & 0xFF));  //writes the LSB
 Wire.endTransmission();
 Wire.requestFrom(EEPROM1, 1);
 if (Wire.available())
  data = Wire.read();
 return data;
}

Line

Code:

Wire.write((int)(address >> 8));   //writes the MSB

had to be removed.

This also fixed the values of some characters for some reason and the password indeed is "grinder". The "island" names are more readable now too, there is one named "testing", nice.

I will solder the chip back on and try the password. It should work.

As cool as the story of this being sold because of EEPROM corruption would be, it's obviously not the case.

Attached Files

**mik13ST** · 03-15-2023, 02:09 PM

Re: Resetting old Repotec/Eusso switch without RST button or admin access

Yep. Thanks stj.

Attached Files

**stj** · 03-15-2023, 11:46 PM

Re: Resetting old Repotec/Eusso switch without RST button or admin access

this is why i invest in cheap chinese tools like programmers instead of trying to use dev boards.

Announcement

Resetting old Repotec/Eusso switch without RST button or admin access

Resetting old Repotec/Eusso switch without RST button or admin access

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment