Reverse Engineering Dell iDRAC 7/8

February 18, 2019 by Matt in /Firmware with No Comments

I came across this project on Github that contains source code for achieving undetectable root + loading of arbitrary code on Dell IDRAC7 & IDRAC8 IPMI/BMC server hardware. Although this doesn't work with previous versions of iDRAC that I've written about (v6), the techniques used to adjust the firmware images are applicable.

This work got plenty of attention: ServeTheHome, The Register and AnandTech all wrote about this BMC vulnerability. Dell's own publication of CVE-2018-15774 and CVE-2018-15776 addresses the affected iDRAC releases and specifically mentions that iDRAC systems should not be publicly available.


I won't comment further on this issue since it's already covered well enough in the above links. Just thought I'd mention it here briefly in case someone was looking for ways to take control over their own iDRAC systems.

Reverse Engineering Dell iDRAC6 Express: Fan Control

Part II: The Silence of the Fans

November 05, 2017 by Matt in /Firmware with 5 Comments

As previously mentioned, the Dell PowerEdge T710's stock Pulse Width Modulated (PWM) fans are controlled by the iDRAC6 & BMC firmware data files. I haven't had time to properly address these components but luckily there is another quick method that we can use to silence the stock fans. Later on I also tried swapping out the stock fans (YouTube video) with much quieter Arctic F9 PWM models but this introduced other problems.

Read More

Reverse Engineering Dell iDRAC6 Express: Fan Control

Part I: Accessing the Root User

November 02, 2017 by Matt in /Firmware with 2 Comments

I have an aging Dell T710 that I bought a number of years ago. I use it to offload long running processes, handle file sharing, shared services, jails and so on. It's been running FreeBSD for a couple of years since I moved away from Linux.

Like most server-class hardware this tower is particularly loud. Dell shipped it with pulse width modulated fans that are anything but quiet and thanks to the iDRAC6 Express software that runs on a WPCM450 integrated baseboard management controller (BMC) the fan control & throttling makes it sound like a jet is taking off. That's fine if you have somewhere to put it but we've moved to a small apartment and it has to sit in our office. As we're fans of hearing ourselves think (pun intended) I needed some way to wrestle control away from the default iDRAC firmware.

The WPCM450 runs a version of Busybox Linux on an ARM processor. As you would expect, Dell has heavily customized this software and provides access to it via a web interface, Telnet, SSH, RAC, IPMI or Serial interface to RAC/IPMI. None of these options offer the controls we're looking for and the SSH/Telnet options are locked down to the iDRAC SM-CLP command line interface. In short, Dell has turned an otherwise very useful out-of-band management tool into a glorified toaster oven.

Previous versions of the Dell BMC have been reverse engineered by others however the Dell T710 is an 11th generation server so sadly we can't use those methods.

Read More