xhausted110

Avaya definity

108 posts in this topic

Did you try running the start_vs script used to start Audix? The Dialogic executable is driver related, and is started by the start_vs script normally (though starting it manually won't hurt it; the shell scripts aren't particularly bad). If there's any problems starting the system, it should let you know. I think /vs/bin/start_vs_now is responsible for doing a lot of the legwork, so if you think there's something it's not telling you, that's probably the first place to look.

0

Share this post


Link to post
Share on other sites

Hi ThoughtPhreaker!

 

I was in the same boat with xhausted100 with my Definity system, but your methods worked perfectly! 

 

My question is with a version 6 system with no card.  I can't seem to get it to read memory of the pam process to in order to get the passwords for the accounts. It keeps telling me invalid address. It must be me since I am not familiar at all with the commands for rva and wva or the debugger commands. Would it be possible for you to give me a quick tutorial of how to read the pam process memory?

 

Thanks!

1

Share this post


Link to post
Share on other sites

rva is pretty straightforward to use; type rva process [whatever process you want to look at. For example, pam] a [address you want to dump. Though it's hex, it doesn't want a preceeding 0x before it] c [number of bytes you want printed out in hex format; for the maximum, 255, you'd tell it FF]

 

The virtual memory addresses we want to look at always start at 0x400000. In the case of release 6, the init password is stored in a couple of places. The first is 0x423487, and since the password data is 12 bytes long, which is the value C in hex, you'd want to type: rva process pam a 423487 c c .

 

There's also another address it's stored at; 0x435537. This one, I think (though I could be wrong. You could definitely try both if you're interested, but you can just log in and change it anyway) is the one it actually checks when you log in. As usual it's C bytes, but wva wants an extra argument; v/value. If you want to write different bytes, you'll have to do it one at a time, like wva process pam a 435537 c 1 v 00. If you want to overwrite everything, you could increase the count, and give it something like wva process pam a 435537 c c v 00 .

 

Anyway, there's also a debugger command that lets you dump RAM. This is best for dumping the whole process. While you can use a script or something to spit everything out with the rva command, it takes a painfully long time to cough out even the smallest things. This, by contrast, should get pam (220 kb) in about ten minutes or so. Not exactly amazing, but it's more what you'd expect from a 9600 baud serial link.

 

So just type, for example, rd -f (number of bytes you want)x pam 0x400000 , and it'll do the rest. The x indicates we want the bytes in hex format, rather than something horrible like octal numbers. The count can be as high as you want; it'll just keep going until the end of the file before throwing an error at the end. Just for the sake of completeness, here's a valid example command:

 

rd -f 2000000x pam 0x400000

0

Share this post


Link to post
Share on other sites

Thanks ThoughtFreaker.  It worked like a charm with one exception.  I didn't find the password to init at the address you gave me.  After doing a memory dump of pam, I found it at 0x421470. That's the beginning of "init" followed by 3 zeros. It may be a different version but the label say V6.  Anyway I got the password and all is well.

 

Thanks gain!

0

Share this post


Link to post
Share on other sites

It should say the software version on the terminal when you log in. Those stickers can be a little misleading if someone upgraded the switch, but release 6 was the last version to not have ASG permanently enabled on the init account. Maybe you have a different build of 6 or something? I think the exact version of the one I dumped was G3V6i.03.4.253.1 .

0

Share this post


Link to post
Share on other sites

 

OK, now on to something more complex, the challenge response mechanism for ASG logins.  Not sure if this should be a new thread, let me know. The basic sequence is when you try to login to, say init, which is ASG protected, the system gives you a challenge number and wants a response. Here's the back story:

 

When your account is created on the Definity, a secret key, is either machine generated or manually input for your username, (or init, or whatever).  Both you and the definity know that secret key.  When you try to login, the definity gives you a number that you have to run through the algorithm with your secret key, either on a hand held device or the management software. The resulting number is what you enter for the response to the Definity. Of course, it is doing the same. The response you give it must agree with what it generates internally so that it will let you in.  Hope that makes sense.

 

So where is the per username secret key stored?  In the username record in PAM or somewhere else? I've read that it is either 14 hex or 20 octal digits. And the response is 7 digits(?). The secret key is displayed on the change login screen if you have high enough privilege to see it.

 

On to poking around in memory....

 

After looking through the R8 Pam file you have attached to this thread, I've noticed something different about the 2 init records. There's the one at 264d0. If you look at the one at 38f60, there is an additional 16 digit hex string at 38f66. Could that be the secret key??????? If it is, all we need is the encryption algorithm!!!  (Like that's a tiny thing!)

Edited by oldphoneman
additional info
0

Share this post


Link to post
Share on other sites
On 8/17/2016 at 11:05 AM, ThoughtPhreaker said:

There's a special extension type - VMI that seems to send a number of some sort when the line goes offhook. I'm guessing it's the number calling it, but I'll check tonight. Here's a configuration guide Avaya made for setting up an Audix/Definity arrangement: http://downloads.avaya.com/css/P8/documents/100013671

 

Though it's not documented here, you can do this with regular line classes and a hunt group if you want. Make a hunt group with the Audix lines, and add a vector with the command "converse on split [hunt group ID] priority [whatever] . The next few arguments after that should give you the option to send a number of things after any line in the hunt group goes offhook.

 

EDIT: Here ya go! Sorry for the sketchy file locker. It's the first I could think of that allows big files for free.

 

http://uploadrocket.net/w5tu5lfe3c2f/AUDIX_LX_app_soft.nrg.html

 

Here's the service pack update thingy as well. I think the first release of Audix has some sort of well documented vulnerability. I mean, aside from all the ones you'd expect from circa-2003 Redhat.

 

http://www110.zippyshare.com/v/MuZ3k7oL/file.html

Aww. Too late to snag it. :(

 

I still need to make my Definity do well, anything first though. C-LAN works, IP Media Processor not so much, trunking to anything not so much.

 

(Do I absolutely have to connect Audix stuff via an analogue line, or can I do some hilariously hacked up trunk?)

0

Share this post


Link to post
Share on other sites
Quote

 

So where is the per username secret key stored?  In the username record in PAM or somewhere else? I've read that it is either 14 hex or 20 octal digits. And the response is 7 digits(?).

 

I think it's all stored in the place you described. There's a PIN if I'm not mistaken, that brings it up to 20 hex bytes right next to the key in question. You'll see that particular set of bytes change every time you change your key.

 

Quote

 

If it is, all we need is the encryption algorithm!!!  (Like that's a tiny thing!)

 

It's less big than you might think :) . Some people with Avaya PBXes are less than responsible, and put development packages on the internet:

 

ftp://ftp2.veracomp.pl/net/avaya/Software/SES_5_1_2/Releases/rpms/asgtools-1-0.AV10.i386.rpm

ftp://ftp2.veracomp.pl/net/avaya/Software/SES_5_1_2/Releases/rpms/asgtools-devel-1-0.AV10.i386.rpm

 

While you can't get the source, you can get some header and object files used for ASG functions in their x86 platforms. They're relatively readable with a trip through a decompiler and some deducing which variables are which ( http://pastebin.com/c6znKRUF ), but more importantly, it shows that the earlier ASG stuff is a one time password algorithm based on DES. At some point - probably in the mid 2000s, they got enough sense in their head to switch to AES.

 

This is important not just because the one time passwords are annoying/used to lock down the switch, but because release 10 and up, where all the really fancy features come into play, want you to upload a license key based on ASG.

 

Quote

 

I still need to make my Definity do well, anything first though. C-LAN works, IP Media Processor not so much, trunking to anything not so much.

 

Yeah, I think the IP media processor won't work without a relatively recent release; ftp://ftp.avaya.com/incoming/Up1cku9/tsoweb/media/minhardwarevintages.pdf . If your release is 7.1 or something though, allegedly you can put this crazy thing in your switch and get IP trunks. Though it's sorta like adding a car to your pool because you don't like getting rained on while you swim. http://www.ebay.com/itm/Avaya-Lucent-Definity-TN802-V2-MAPD-Board-w-8MB-Card-HDD-/391312141904?hash=item5b1c056e50:g:atcAAOSw5VFWOpHM

 

Quote

 

(Do I absolutely have to connect Audix stuff via an analogue line, or can I do some hilariously hacked up trunk?)

 

That depends on what you can get to work. You absolutely do need to use that software with a Dialogic card, but they make T1 cards too. I'd be surprised if Avaya didn't put support for that into their software. I think there's something to differentiate between analog and digital interfaces in the software. But then again, I tried it with my Dialogic T1 card and it didn't want to cooperate. Though I think that was probably a good thing in the long run. It wound up being used for...better things. http://thoughtphreaker.omghax.ca/audio/ligatt_megaphone.mp3

Edited by ThoughtPhreaker
0

Share this post


Link to post
Share on other sites
5 hours ago, ThoughtPhreaker said:

 

 

Yeah, I think the IP media processor won't work without a relatively recent release; ftp://ftp.avaya.com/incoming/Up1cku9/tsoweb/media/minhardwarevintages.pdf . If your release is 7.1 or something though, allegedly you can put this crazy thing in your switch and get IP trunks. Though it's sorta like adding a car to your pool because you don't like getting rained on while you swim. http://www.ebay.com/itm/Avaya-Lucent-Definity-TN802-V2-MAPD-Board-w-8MB-Card-HDD-/391312141904?hash=item5b1c056e50:g:atcAAOSw5VFWOpHM

 

System: G3csiV11    Software Version: R011i.03.2.536.1

 

Hmmm! The previous config made all sorts of 'VoIP" references and no references to a module of that sort, however. Just the MedPro

 

5 hours ago, ThoughtPhreaker said:

That depends on what you can get to work. You absolutely do need to use that software with a Dialogic card, but they make T1 cards too. I'd be surprised if Avaya didn't put support for that into their software. I think there's something to differentiate between analog and digital interfaces in the software. But then again, I tried it with my Dialogic T1 card and it didn't want to cooperate. Though I think that was probably a good thing in the long run. It wound up being used for...better things. http://thoughtphreaker.omghax.ca/audio/ligatt_megaphone.mp3

 

display circuit-packs                                           Page   1 of   5
                              CIRCUIT PACKS

        Cabinet: 1                            Carrier: A
                                         Carrier Type: processor

 Slot Code  Sf Mode   Name               Slot Code  Sf Mode   Name
                                          11:
  01: TN2402         PROCESSOR            12:
  02: TN2182 C       TONE/CLOCK           13:
  03: TN747  B       CO TRUNK             14:
  04: TN464  F       DS1 INTERFACE        15:
  05: TN799  D       CONTROL-LAN          16:
  06: TN2302         IP MEDIA PROCESSOR
  07: TN2224 B       DIGITAL LINE
  08: TN2224 B       DIGITAL LINE
  09: TN2224 B       DIGITAL LINE
  10: TN793          ANALOG LINE

  '#' indicates circuit pack conflict.  

 

display system-parameters customer-options                      Page   1 of   9
                                OPTIONAL FEATURES
                                                              USED
     G3 Version: V11                     Maximum Ports: 424   0
       Location: 1            Maximum XMOBILE Stations: 10    0
       Platform: 3

IP PORT CAPACITIES
                        Maximum Administered IP Trunks: 1     0
           Maximum Concurrently Registered IP Stations: 29    0
             Maximum Administered Remote Office Trunks: 0     0
Maximum Concurrently Registered Remote Office Stations: 0     0
              Maximum Concurrently Registered IP eCons: 0     0         

                    

MAXIMUM IP REGISTRATIONS BY PRODUCT ID

Product ID  Rel. Limit          Used
IP_Phone       : 900            0
IP_ROMax       : 900            0
IP_Soft        : 5              0

 

I have support for some sort of IP trunks/phones...

 

                                     

0

Share this post


Link to post
Share on other sites
Quote

 

Hmmm! The previous config made all sorts of 'VoIP" references and no references to a module of that sort, however. Just the MedPro

 

Yeah, you should be fine with something as far up as eleven. I think the PDF says you have to have 8.3 or above to get the IP media card working. If you're having trouble with IP stuff though, maybe try testing something as a softphone? I dunno why they'd differentiate between actual and softphones, but for whatever it's worth, a lot of Avaya's non-IP phones use the DCP protocol, their proprietary ISDN variant. Their IP phones use the same thing over H.323, but the difference might be because they don't feel comfortable having their secret sauce running on any old desktop PC. They might be using standard H.323 or something.

 

That being said, do you happen to know much about how to upload/download license files? I actually have a release 11 card here that'll need some, er, liberating at some point. Unlike 9/-, even if you can convince the switch you're init, it doesn't like you trying to activate it without one. Which judging by that RPM, is just a matter of doing some legwork, but I'm still scratching my head on what command it wants. A quick hunt through Avaya's goofy license installer ( ftp://ftp2.veracomp.pl/net/avaya/Narzedzia/LIT/ ) shows there's a lot of strings related to reading the license details, but nothing for uploading it. Well, besides an xmodem implementation.

Edited by ThoughtPhreaker
0

Share this post


Link to post
Share on other sites
7 hours ago, ThoughtPhreaker said:

That being said, do you happen to know much about how to upload/download license files? I actually have a release 11 card here that'll need some, er, liberating at some point. Unlike 9/-, even if you can convince the switch you're init, it doesn't like you trying to activate it without one. Which judging by that RPM, is just a matter of doing some legwork, but I'm still scratching my head on what command it wants. A quick hunt through Avaya's goofy license installer ( ftp://ftp2.veracomp.pl/net/avaya/Narzedzia/LIT/ ) shows there's a lot of strings related to reading the license details, but nothing for uploading it. Well, besides an xmodem implementation.

 

Sadly, I do not know anything about that...haven't had the time to poke at the memory much.

 

Hmmmm. xmodem implementation...I hope it isn't doing something bizarre with the debug shell.

 

I wonder if it would detect a modified ROM NOPing out the challenge checking...

0

Share this post


Link to post
Share on other sites

display ethernet-options

                                 ETHERNET OPTIONS

Enable
Eth Pt Type   Slot   Code   Sfx    Auto     Speed     Duplex
   y   C-LAN  01A05  TN799   D      y
   y   MEDPRO 01A06  TN2302         y                   

 

I have both up now, though!

0

Share this post


Link to post
Share on other sites

Hmmmm. xmodem implementation...I hope it isn't doing something bizarre with the debug shell.

 

I doubt it. You'd probably see the debugger command in there if it was doing that. From there, you can manually invoke the xmodem process, but I have no idea what sort arguments it wants. Every time I've tried, it just immediately kills itself.

 

In any case, firmware updates for cards or translations and whatnot are typically what it's used for via the upload and download commands.

 

I wonder if it would detect a modified ROM NOPing out the challenge checking...

 

You probably could; the only time it's ever bothered me about that sort of thing is when a process crashes, but there's easier ways to fool it. The real problem is under most translation cards, the inads user will prompt for ASG. You're fine if you boot the system with no card, but then you need to be able to feed it a license. That should be in the translations file. Using what we have in the ASG development headers, figuring out exactly what's going on shouldn't be too hard once we identify where the license is. Keep in mind it's designed explicitly for the product ID in the translations card, and probably the serial number on your CPU card though.

0

Share this post


Link to post
Share on other sites

Good Evening,

 

I am the Curator of The Museum of Telephony. In the last year, I've worked on documenting my beloved vendor of choice for PBX systems, such as digitizing the 1985 AT&T Technical Journal article on the System 75 (the origins of the Definity) and did an email interview of the voice of the AUDIX voicemail system. You can't go wrong with a Definity/CM. It has it's flaws which is why there's probably a thread here.

 

Enough about my site, haha. I'm not here to plug, but I'd like to discuss the earlier conversation in regards to the Definity's password tweak. 

 

I'm an owner of a Definity CMC (or CSI) currently running on Release 9. I also on a Definity AUDIX TN568 board running on DA 4. A friend of mine gave me the unit with two PPNs, the other one that's release 12 (aka CM R2.) This one that requires a license. When I accessed it the first time it went on a 30 day countdown then I was barred to use the very important "add" function. Since I didn't care if I figuratively fried it. I loaded it without a translations card, changed the date to fool it, but after those 30 days I couldn't even change login credentials (handles or passwords)

 

I can say for sure the PBX has since been totally defaulted after I did a "Reset 4" command.  The handle/password given to me is no longer accessible (can go in via INADS sans translations card and craft.) Also no trunks or stations are seen. Since there wasn't a license, I told it to remove it (what else could go wrong!) 

 

I contacted Avaya's support crew back in '15 when I tried to contact them to activate the system for a basic license, and apparently my request didn't just go to support but to legal claiming that I had to have a maintenance contract in order to do anything. Well for the home for educational purposes  - screw that! I still have hurt feelings from them :P 

 

I found this site with some hope. I'd love to have R12 to do VOIP, and it's more functional than R9. I figure in order to get the system back in order, I feel INIT or INADS would be needed over craft or dadmin. Also is there any way to spoof the license file? 

 

I noticed the quoted statement below didn't get followed up. I also don't understand how I change the lines. Can you walk me through the quoted part in detail? I never seen Oryx/Pecos before till tonight (assuming you don't count the SAT/GEDI administration as such...)

 

On 8/14/2016 at 10:03 PM, ThoughtPhreaker said:

So why so many exclamation points? The exclamation point is a null character as far as the passwords are concerned. The byte I highlighted in bold is the one responsible for the user ID.

 

So I'm going to change the password for craft from crftpw to crftpw1 and re-run the TCM shell command. There's a byte you can change in the RAM to make it force you to change your password. It's good in a situation like this where the switch won't let you change your password normally. It's sort of a pain in the ass to find, but let me know if you want me to point it out. Anyway, you'll notice the first two lines just changed to this;

 

PR_LOGIN 6372 6166 7400 006c 7577 7231 636e 2121 'craft  luwr1cn!!' <-- crftpw1
PR_LOGIN 2121 216c 7577 7221 636e 2121 2121 0001 '!!!luwr!cn!!!!  ' <-- note old password stays the same (crftpw)

 

Quote

Can you say insecure? The Definity can! Or as it'd say, ctjbwse12b2! . If you'd care to learn the order of the remaining bytes (that's the maximum length of 11 characters), that's "insecure133".

 

I could see how this is insecure. But it takes someone to get access to the phone room, turn the thing off and take the translations card and boot it up and one would hope there is physical security being in place. If someone was doing this even in a MCC environment someone would catch the shenanigans. One would hope.  I spent 3 hours digging through.

 

I never imagined how Oryx/Pecos looked at the Tier 3/engineer side. My mind was blown away by all the inner workings. Of course it's fun to look not to touch! :)

 

Edited by MakeAvayaRedGreatAgain
0

Share this post


Link to post
Share on other sites
Quote

 

I could see how this is insecure. But it takes someone to get access to the phone room, turn the thing off and take the translations card and boot it up and one would hope there is physical security being in place. If someone was doing this even in a MCC environment someone would catch the shenanigans. One would hope.  I spent 3 hours digging through.

 

Sure, but keep in mind that the one time password algorithm for the Definity is based on DES. I'm not a crypto guy, but based on what I know about DES, having faith in that even if an attacker doesn't have the keys seems like a dangerous game. Much like the passwords as well, the ASG keys for init and inads are probably the same for every processor using a specific build. Though I guess the problem with that is you don't know what build it is until you log in or physically look at the sticker on the processor. This'll definitely have to be explored further at some point - maybe they use the same inads or craft or whatever key on every build.

 

Quote

 

Also is there any way to spoof the license file?

 

Ostensibly, yeah. The header and object files we got from the RPM should allow anybody who uses it in their code to encode and decode license keys, and from the look of the functions, probably make and test valid ASG keys as well. The idea behind disassembling the object files was to try and get an idea of how the functions work - and that's still a valid choice, but it might be less work to just use them as is through trial and error.

 

Of particular note in asg.h is this:


struct lic_info {
        unsigned char   version[4];
        unsigned char   filler[6];
        unsigned char   hexkey1[8];
        unsigned char   hexkey2[8];
};

 

along with the four functions in license.h . Since gewt has a switch with a valid license, I was hoping we could use this to test data we know for sure works against anything we happen to write with these ASG functions.

 

Quote

 

Can you walk me through the quoted part in detail?

 

Sure! I'll send you a PM.

Edited by ThoughtPhreaker
0

Share this post


Link to post
Share on other sites

Thoughtphreaker,

Sorry for not replying sooner, life got in the way. Since my last post, I've reinstalled AUDIX several times, and tried many methods of beating the licensing system, to no avail. The damn voice system will never come up. As a last ditch effort, is there any chance you could send me an image of your system's hard drive? I could just write that image to a drive here, and have a known working set up. If you can't do that for whatever reason, maybe you could do a comparison of a fresh install vs your modified version? I'm still very interested in getting AUDIX working with my definity.

Thanks.

0

Share this post


Link to post
Share on other sites

As a last ditch effort, is there any chance you could send me an image of your system's hard drive?

 

Sure! It'll take a few, though; I'll have to find a juggling act that'll work to get that copied, let alone uploaded. A brownout knocked out the power supply to my server and a few other nice things, so until I figure out what to do with it, everything will be going sort of slowly. It's a Dell desktop from like a hundred years ago; it works perfectly fine for the tiny CPU load it gets, but it's one of those stupid ones with the proprietary PSU pinout. This is the second OEM power supply that's died during a brownout, and replacing it is getting to be an annoyance. So my options here are to get another one and just ride it out until the next brownout - not something I'm especially keen on, finding a third party one that's hopefully built better, trying to find the pinout online and kluging a standard ATX supply into there (I think there's more -5v lines than there are on a standard ATX connector), or throwing a perfectly good machine in the garbage and replacing it with something probably significantly more powerful for next to - or possibly nothing.

0

Share this post


Link to post
Share on other sites

Cool.

If you want to modify a standard ATX power supply, I can provide voltage readings from a working dell if you need them, I think I have one from every generation in the past 20 years.

0

Share this post


Link to post
Share on other sites

Sure, could you? Sorry it took me so long to respond; it's been a weird month. The PSU in question is a Dell HP-P1457F3.

0

Share this post


Link to post
Share on other sites

Hello there,

I just wanted to put my 2c in....

 

The Intuity Audix LX 1.0 and 2.0 require a specific hard drive that has been flashed by AVAYA. When You look at the drive ID it comes up "AMP". Without that drive the ports will not activate.

 

 

0

Share this post


Link to post
Share on other sites

The way I did mine was a bit weird; the server in question doesn't have a VGA card, so I did the first installation stage on a VMWare instance, loaded it onto a hard drive with another OS, SSHed in, and then simply used dd to copy it to yet another drive. That was just the OS installation though; all the RPMs were installed just the same as everybody else's. At the end of the day though, I installed it onto an old 20 GB (from that same Dell when a bigger drive was put in, actually) IDE drive I don't have much use for otherwise. There's nothing particularly special about it.

 

Anyway, sorry this has taken so long. I do actually plan on uploading an image with this at some point so we can get to the bottom of what's going on. Aside from the hardware concerns though, I would like to shuffle around some data (mostly voicemails; the passwords on a machine like this are obviously throwaways) before giving it out. I did have it answering my phone for a while when I wasn't around.

0

Share this post


Link to post
Share on other sites

Posted (edited)

On 1/11/2017 at 2:29 PM, ThoughtPhreaker said:

 

Sure, but keep in mind that the one time password algorithm for the Definity is based on DES. I'm not a crypto guy, but based on what I know about DES, having faith in that even if an attacker doesn't have the keys seems like a dangerous game. Much like the passwords as well, the ASG keys for init and inads are probably the same for every processor using a specific build. Though I guess the problem with that is you don't know what build it is until you log in or physically look at the sticker on the processor. This'll definitely have to be explored further at some point - maybe they use the same inads or craft or whatever key on every build.

 

 

Ostensibly, yeah. The header and object files we got from the RPM should allow anybody who uses it in their code to encode and decode license keys, and from the look of the functions, probably make and test valid ASG keys as well. The idea behind disassembling the object files was to try and get an idea of how the functions work - and that's still a valid choice, but it might be less work to just use them as is through trial and error.

 

Of particular note in asg.h is this:


struct lic_info {
        unsigned char   version[4];
        unsigned char   filler[6];
        unsigned char   hexkey1[8];
        unsigned char   hexkey2[8];
};

 

along with the four functions in license.h . Since gewt has a switch with a valid license, I was hoping we could use this to test data we know for sure works against anything we happen to write with these ASG functions.

 

Sorry for disappearing for a long time - work got in the way.

 

Okay - where's the best place for me to start?  Aside from the obvious "dump the translations card" step. (It's PCMCIA flash, right?)

 

I'd love to poke through ROM dumps...:P

 

Quote

 

 

Sure! I'll send you a PM.

 

Edited by gewt
0

Share this post


Link to post
Share on other sites

Okay - where's the best place for me to start?  Aside from the obvious "dump the translations card" step. (It's PCMCIA flash, right?)

 

Yup, the newer cards are ATA flash. The older ones (release 8/-), linear. If you don't want to bother with finding something to plug it into, the Definity can xmodem it to you. Boot it with no translations, log in as inads, plug it in, and type upload (I think. It's relative to the direction of the Definity) translations.

 

Anyway, as for where to start, I'd get the switch to print a copy of the license data - list config license, I think. Then, with the system booted, if you have inads access under normal circumstances, get a ramdump of pam and compare it to a dump of the same process with no translations card installed. If that's not possible, just the latter is probably fine; the translations card will probably give most of what we need. The challenge with that, if we want to try and load/edit licenses through the memory card (obviously a great start. I'd really like to know where it's supposed to load this stuff in, though), is that it uses some weird format with a bunch of checksums. Ostensibly the best way to deal with that is to use the bulletin board feature; you could just write a 1 or something to it, upload the translations somewhere, then change it to a 2 or 0 or whatever, and see what changed.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now