{"id":20578802,"url":"https://github.com/nrdmn/ilo5-backup-decrypt","last_synced_at":"2025-10-19T12:22:15.601Z","repository":{"id":125064290,"uuid":"312070159","full_name":"nrdmn/ilo5-backup-decrypt","owner":"nrdmn","description":null,"archived":false,"fork":false,"pushed_at":"2020-11-11T19:39:19.000Z","size":8,"stargazers_count":3,"open_issues_count":1,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-01-16T22:20:07.641Z","etag":null,"topics":["ilo5"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nrdmn.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-11-11T19:31:46.000Z","updated_at":"2023-12-04T09:41:16.000Z","dependencies_parsed_at":null,"dependency_job_id":"7f549932-19eb-4b95-bfdf-d514879f665d","html_url":"https://github.com/nrdmn/ilo5-backup-decrypt","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nrdmn%2Filo5-backup-decrypt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nrdmn%2Filo5-backup-decrypt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nrdmn%2Filo5-backup-decrypt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nrdmn%2Filo5-backup-decrypt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nrdmn","download_url":"https://codeload.github.com/nrdmn/ilo5-backup-decrypt/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":242206001,"owners_count":20089251,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ilo5"],"created_at":"2024-11-16T06:14:37.580Z","updated_at":"2025-10-19T12:22:10.571Z","avatar_url":"https://github.com/nrdmn.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# backup.elf\n\niLO 5 supports the backup and restore of system configuration. The backup file\nis encrypted with a password. Backup and restore is implemented in backup.elf.\n\n\n## backup file format\n\n### 0x90-byte header\n\n offset | type | description\n--------|---------------|----------------------\n `00` | u32 | magic value 0x42fa4c49\n `04` | u32 | 0x101\n `08` | u32 | file size\n `10` | u8[0x10] | MD5 hash of content, see below\n `20` | u32 | 1\n `30` | u8[?] | firmware version as string\n `50` | u8[?] | 'iLO 5 Backup file'\n `70` | u8[0x10] | MD5 hash of the password\n\n#### content hash\n\nThe content MD5 sum is calculated by hashing 0x200 bytes of a repeating\n0x00..0x4c pattern and the content of the encrypted backup file starting at\noffset 0x90.\n\n```c\n MD5_CTX ctx;\n char result[16];\n char buf[0x200];\n FILE *file = fopen(\"backup.enc\", \"r\");\n\n for (int i = 0; i \u003c 0x200; i++) {\n buf[i] = i % 0x4d;\n }\n\n MD5_Init(\u0026ctx);\n MD5_Update(\u0026ctx, buf, 0x200);\n\n fseek(file, 0x90, SEEK_SET);\n while (fread(buf, 1, 0x200, file) != 0) {\n // NOTE: in case the last fread returns less than 0x200 bytes,\n // the hash is still calculated over the entire buffer\n MD5_Update(\u0026ctx, buf, 0x200);\n }\n\n MD5_Final(result, \u0026ctx);\n```\n\n### keys\n\nStarting at offset 0x90, five encrypted keys follow:\n\n offset | type | description\n---------|---------------|----------------------\n `+00` | u8[0x40] | salt\n `+40` | u32 | length of encrypted key, big endian\n `+44` | u8[0x100] | encrypted key\n `+144` | u8[0x10] | iv; it is the same for all five keys\n\nThe first key is derived from the BMC's chip id, the second and third from\ndata from SMBIOS (if available), all remaining keys are generated from\nrandom data. There may be facilities to add custom keys.\n\nFor encryption, AES 256 CBC is used.\n\nThe first key is calculated by generating 0x40 bytes random salt, feeding it\ntogether with the chip id into OpenSSL's PKCS5_PBKDF2_HMAC and using its result's\nfirst 31 bits to initialize libc's rand(). A function to generate random bytes\nby calling rand()\u00260xff for every byte is set as OpenSSL's random number generator.\nUsing this RNG, a 2048 bit RSA key is generated.\n\nThe 8-byte chip id is found at 0x01f20010 or via web interface at\n/xmldata?item=all in \u003cCID\u003e tags.\n\n```c\n RAND_METHOD ilo_rand = {\n ilo_rand_seed,\n ilo_rand_get_bytes,\n NULL,\n NULL,\n NULL,\n NULL,\n };\n\n SSL_library_init();\n RAND_cleanup();\n RAND_set_rand_method(\u0026ilo_rand);\n\n char chip_id[16] = /* chip id */;\n char salt[0x40] = /* random data */;\n char pbkdf2_result[0x80];\n PKCS5_PBKDF2_HMAC(chip_id, 16, salt, 0x40, 0x2f59, EVP_sha384(), 0x80, pbkdf2_result);\n\n RAND_seed(pbkdf2_result, 4);\n RSA *key = RSA_generate_key(0x800, 0x10001, NULL, NULL);\n```\n\niLO's rand() uses a LCG with 31 bits of internal state, yielding values\nbetween 0 and 0x78f0e07. It has an optimal period length of 0x78f0e079.\n\n```c\nbool rng_seeded = false;\nuint32_t rng_state;\n\nvoid srand(unsigned int seed)\n{\n rng_state = seed \u0026 0x7fffffff;\n}\n\nint rand(void)\n{\n if (!rng_seeded) {\n rng_seeded = true;\n rng_state = 1;\n }\n rng_state = ((uint64_t)rng_state * 0x3aa8 + 0xf4627) % 0x78f0e079;\n return rng_state \u003e\u003e 4;\n}\n```\n\n## content\n\nThe encrypted backup file contents are gzip compressed and\n_must start with these eight bytes_: `1f 8b 08 00 00 00 00 00`\nThis means that the contents must be deflate compressed, not\ncontain the original file name, and not contain the timestamp\nof creation.\n\nThe decompressed contents are a packed series of the following structure:\n\n offset | type | description\n--------|---------------|----------------------\n `00` | u32 | magic value 0x42fa4c49\n `04` | u32 | 0x101\n `08` | u32 | file length\n `30` | u8[32] | absolute directory path\n `50` | u8[32] | file name\n `90` | | file content\n\n## file list\n\niLO 5 firmware 1.40 knows the following files:\n\n\n description | directory | filename | flags\n------------------|---------------------|-------------------------|---------\n Firmware version | i:/vol0/cfg | version.bin | 00000001\n Serial Number | i:/vol0/cfg | eeprom.bin | 00000003\n License | i:/vol0/cfg | license.bin | 00000001\n LicenseCI | i:/vol0/cfg | lic_owner.bin | 00000001\n Network (kernel) | i:/vol0/cfg | nwcfg.bin | 00000003\n Security Manager | i:/vol0/cfg | secmgr.bin | 00000001\n Security CAC | i:/vol0/cfg | secmgrnk.bin | 00000001\n User DB | i:/vol0/cfg | cfg_users.bin | 00000001\n User DB Keys | i:/vol0/cfg | cfg_users_key.bin | 00000001\n User CAC | i:/vol0/cfg | cfg_cac.bin | 00000001\n AHS cfg | i:/vol0/cfg | blackbox.bin | 00000001\n AHS cfg (NAND) | /mnt/blackbox | blackbox.bin | 00000001\n Beacon cfg | i:/vol0/cfg | beacon.bin | 00000001\n iLO CFG | i:/vol0/cfg | ilo.bin | 00000001\n Webserver | i:/vol0/cfg | webserv.bin | 00000001\n RIB-CL | i:/vol0/cfg | ribcl.bin | 00000001\n SMSSO | i:/vol0/cfg | smsso.bin | 00000001\n SRV INFO | i:/vol0/cfg | srvinfo.bin | 00000001\n ROM PS | i:/vol0/cfg | rom_ps.bin | 00000000\n IPv6 ET0 | i:/vol0/cfg | ipv6_et0.bin | 00000001\n IPv6 ET1 | i:/vol0/cfg | ipv6_et1.bin | 00000001\n FSS | i:/vol0/cfg | fss_cfg.bin | 00000000\n AlertMail | i:/vol0/cfg | alertmail.bin | 00000001\n AlertMail EKey | i:/vol0/cfg | amail_ekey.bin | 00000001\n SecurEST | i:/vol0/cfg | securest.bin | 00000000\n DVI | i:/vol0/cfg | dvi.bin | 00000001\n USB VM | i:/vol0/cfg | usbvms.bin | 00000001\n rSYSLOG | i:/vol0/cfg | rsyslog.bin | 00000001\n LINKDET | i:/vol0/cfg | linkdet.bin | 00000001\n FW SCAN | i:/vol0/cfg | fw_scan.bin | 00000001\n CLI.BIN | i:/vol0/cfg | cli.bin | 00000001\n ERS PEM | i:/vol0/cfg | ers.pem | 00000001\n ERS REG TOKEN | i:/vol0/cfg | ers_reg_token.bin | 00000001\n ERS BIN | i:/vol0/cfg | ers.bin | 00000001\n ERS KEY | i:/vol0/cfg | ers_key.bin | 00000001\n ERS IML | i:/vol0/cfg | ersiml.bin | 00000000\n LDAP | i:/vol0/cfg | cfg_ldap.bin | 00000001\n DIRGRP | i:/vol0/cfg | cfg_dirgrp.bin | 00000001\n PWR | i:/vol0/cfg | pwr.bin | 00000001\n SNTPdn0 | i:/vol0/cfg | sntpsdn0.bin | 00000001\n SNTPdn1 | i:/vol0/cfg | sntpsdn1.bin | 00000001\n Timezone | i:/vol0/cfg | tz.bin | 00000001\n Key Manager | i:/vol0/cfg | keymgr.bin | 00000001\n CPU | i:/vol0/cfg | cpu.bin | 00000000\n SNMP CFG | i:/vol0/cfg | snmp.bin | 00000001\n SNMPD | i:/vol0/cfg | snmpd.conf | 00000001\n SNMPV3 | i:/vol0/cfg | snmpv3.bin | 00000000\n SNMPZ | i:/vol0/cfg | snmp_extn.z | 00000000\n RESTSERVER | i:/vol0/cfg | restserv.bin | 00000000\n Kerberos | i:/vol0/cfg | kerberos.bin | 00000001\n VSP | i:/vol0/cfg | vsp.bin | 00000001\n Server FQDN | i:/vol0/cfg | srvfqdn.z | 00000001\n HP SSO | i:/vol0/cfg | hpsso.bin | 00000001\n Random Pool | i:/vol0/cfg | random.bin | 00000000\n RIS Subscrbers? | i:/vol0/cfg | ris_subscr.bin | 00000000\n RIS Tasks | i:/vol0/cfg | ris_tasks.bin | 00000000\n RIS Tasks (DIMM) | i:/vol0/cfg | dimmcfg.bin | 00000000\n RDP | i:/vol0/cfg | rdp.bin | 00000001\n Server Signing | i:/vol0/cfg | srvsig.bin | 00000000\n MCTP | i:/vol0/cfg | mctp.bin | 00000001\n BMC cfg | i:/vol0/cfg | bmc_nvcfg.bin | 00000001\n BMC cfg2 | i:/vol0/cfg | bmc_nvcfg2.z | 00000001\n BMC PoH | i:/vol0/cfg | bmc_nvpoh.z | 00000000\n EH cfg a0 | i:/vol0/cfg | eh_nvcfg_a0.z | 00000001\n Virt. NIC | i:/vol0/cfg | vnic.bin | 00000001\n ROM IST Settings | i:/vol0/cfg | rom_ist.bin | 00000001\n IST Thresholds | i:/vol0/cfg | ist_sens_threshold.bin | 00000001\n IST data | i:/vol0/cfg | ist_cust_dura_samp.bin | 00000001\n IST data | i:/vol0/cfg | ist_1day_samples.bin | 00000000\n IST data | i:/vol0/cfg | ist_30m_1hr_samples.bin | 00000000\n SECERASE | i:/vol0/cfg | syserase.bin | 00000000\n Sec Dashboard | i:/vol0/cfg | secdbcfg.bin | 00000001\n EVs | i:/vol0/evs | evs.bin | 00000001\n Web SSL Cert | i:/vol0/certs | sslcert.der | 10000101\n WEB Certs | i:/vol0/certs | sslcsr.der | 10000101\n WEB Certs | i:/vol0/certs | tfacert.pem | 10000101\n ESKM | i:/vol0/certs | eskm_ca.pem | 10000101\n ESKM DER | i:/vol0/certs | sslcert.der | 10000101\n SSH Key | i:/vol0/certs | mp_sshkey.bin | 10000101\n LDAP Cert | i:/vol0/certs | ldapcacert.der | 10000101\n KRB5 Config | i:/vol0/kerberos | krb5.conf | 00000101\n KRB5 keytab | i:/vol0/kerberos | krb5.keytab | 00000101\n EV LOG | i:/vol0/cfg | evlog.bin | 00000000\n SMBIOS | i:/vol0/cfg | smbios.bin | 00000000\n SMBIOS .Z | i:/vol0/cfg | smbios_3.z | 00000000\n PowerAlloc | i:/vol0/cfg | rckmgmt.bin | 00000000\n Backup | i:/vol0/cfg | backup.bin | 00000000\n Login CFG | i:/vol0/cfg | logincfg.bin | 00000001\n CAC stuff | /mnt/ilostore/certs | 0cacert.der | 00000101\n CAC stuff | /mnt/ilostore/certs | 1cacert.der | 00000101\n CAC stuff | /mnt/ilostore/certs | 2cacert.der | 00000101\n CAC stuff | /mnt/ilostore/certs | 3cacert.der | 00000101\n\nThe LSB of `flags` means that the file shall not be backuped.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnrdmn%2Filo5-backup-decrypt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnrdmn%2Filo5-backup-decrypt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnrdmn%2Filo5-backup-decrypt/lists"}