Image Map Image Map
View RSS Feed

NeXT

Obtaining a Forgotten Login on an IBM System/36

Rate this Entry



This blog post comes from the issue where you may end up with a System/36 where just the administrator or all of the user accounts and passwords have been forgotten. This article has been created to help de-obfuscate an existing procedure posted about 15 years ago here on Usenet. The purpose of redoing this procedure is to be a bit friendlier on those folks who just walked into something in which they have no clue in hell what they are doing because the last machine they touched was a PC or a Macintosh.
A shout out to Mark for assisting me through this, among others.



There are three things you will need before we can proceed. We need a System/36 with at least a basic front panel. No promises that this will work with the IBM 5364. We also need local access to the machine. We will need to perform a task on the front panel. Finally we need a device capable of IBM 5250 emulation. For this step I will be using an IBM 3486 InfoWindow II twinax terminal.

With the machine IPL'd to the login page, turn the system keyswitch to "Service", select "Console Alter/Display" and start running the function.


http://i11.photobucket.com/albums/a1...5363_step1.jpg

As long as your console is set to ID 0 you should be dropped to the "Alter/Display Options Menu". There are only two options we will be using here. For now select "Option 1 - Alter/Display Storage".


http://i11.photobucket.com/albums/a1...5363_step2.jpg

Memory is listed in hex in the form of pages. Use Page Up and Page Down (for me it's holding Shift while pressing the up and down arrow keys) to scroll through memory until you can find location 0A40 and look at the first three bytes following 0A47. In my case these three bytes are 0162F7. This is a location on the disk where the beginning of the security file is located and ultimately where the usernames and passwords hide.


http://i11.photobucket.com/albums/a1...5363_step4.jpg

Return back to the main menu by pressing F3. Now select "Option 2 - Alter/Display Disk Storage". This will bring you to a menu where it asks you to specify a disk location you want to inspect. You already know where the security file starts, so enter in the disk location and press Enter.


http://i11.photobucket.com/albums/a1...g/CGS_7986.jpg

This will take you to the very start of the file. You are pretty much seeing the file header.


http://i11.photobucket.com/albums/a1...g/CGS_7987.jpg

You will want to Page Down to the next disk sector to begin the fun part. Each page is one sector. Each sector contains two account entries. The first one is always at the top at 0000. The second one is in the middle of the sector at 0080. These entries will have identical bytes at their beginnings and ends which can help to find them.


http://i11.photobucket.com/albums/a1...part9and10.jpg

The 16 byte string is both encrypted and in a character format you are usually not used to working with called EBCDIC. If you have committed this far I hope you are ready to work with it more.
There are two ways to solve this. The first is to use the decoding procedure listed in the original Usenet post which first decrypts it, then converts it from EBCDIC to ASCII. The other way is a very nice javascript that is passed around in the IBM groups. The code can be found by clicking here which will take you to Pastebin.

Please note that when using the javascript decoder you must have NO LOWERCASE LETTERS and NO SPACES, otherwise you will run into weird results and <UNHANDLED CODE>. This javascript code is tested and known to work under Internet Explorer 8.

In the images above the 16 byte string for the first account entry is 0103D38D56CC99BEE335DD283419CB3C. Regardless of which way you decide to decode this the result should give you the username JIM and the password SHAR.


http://i11.photobucket.com/albums/a1...63_step11b.png

And that's it! You can press F3 to return back to the main menu and then select "Option 0 - Exit Alter/Display" to return to the IPL sign-on screen.
If however you find the account you decoded either does not have the user privilege you need or the login did not work, you will have to go back to verify you had the right data, or continue scrolling down through the security file to decode more accounts and try those. You will however come across sectors with nothing in them at all, in which you have reached the end of the file.

Submit "Obtaining a Forgotten Login on an IBM System/36" to Digg Submit "Obtaining a Forgotten Login on an IBM System/36" to del.icio.us Submit "Obtaining a Forgotten Login on an IBM System/36" to StumbleUpon Submit "Obtaining a Forgotten Login on an IBM System/36" to Google

Updated May 12th, 2018 at 07:17 PM by NeXT

Categories
Uncategorized

Comments

  1. tingo's Avatar
    Thanks for sharing this!
  2. eeguru's Avatar
    This is amazing! Got into my new System/36 5362 with this info. Thanks!