[Solved] Mellanox SX6012 u-boot password removal without bash access?

zuikaku

New Member
Feb 7, 2021
7
3
3
Does anyone know how to remove the u-boot password on SX6012 without the access to bash? I'm aware of the methods posted by @necr, but I only have access to MLNX-OS 3.5.1006 which doesn't allow to reset the bootmgr pwd from the shell. This is the EMC switch and I converted with the manufacturing script so no custom image is installed. I can still upgrade to other versions. That said, anything above 3.5.1006 will be stuck at the login screen with "fetal error" (likely because the OS can't match the FRU without a modified hwd, but as far as I know of there is no way to locally patch them either)...

As a last resort I was playing with fae commands to overwrite the FRU info (so as not to be EMC) but had no lack either. Some interesting findings though, there are a few commands that seem available to tweak the FRU info on the board. For example, mlxi2c has parse_fru and write_fru options and mellagra has low level accesses to the internal i2c bus. However, I am not sure if this is possible because I found out only one device appears at 0x70 (it shouldn't be only one...) on the bus.. So I'm completely lost now... Any advice/suggestion would be appreciated.

image.png

Code:
switch-XXXXXX [standalone: master] (config fae) # mlxi2c scan
0x70
switch-XXXXXX [standalone: master] (config fae) # mlxi2c parse_fru dev 0x70 4
switch-XXXXXX [standalone: master] (fae) # mlxi2c -without_modules show devs -v
Nov 04 12:30:28 INFO    LOG: Initializing SX log with STDOUT as output file.
Nov 04 12:30:28 ERROR   ACCESS_REG: Failed to open the DPT shared memory
Nov 04 12:30:28 ERROR   ACCESS_REG_INIT: Failed loading the DPT
Nov 04 12:30:28 ERROR   ACCESS_REG: Failed to open the DPT shared memory
-E- mlxi2c: mi_opend Failed status(MLXI2C_SX_CMDIF_INIT_FAILED:63)
switch-XXXXXX [standalone: master] (config fae) # mlxi2c -no_fru_detect -without_modules -s SX6036 chassis_fru
Nov 04 11:08:56 INFO    LOG: Initializing SX log with STDOUT as output file.
Nov 04 11:08:56 ERROR   ACCESS_REG: Failed to open the DPT shared memory
Nov 04 11:08:56 ERROR   ACCESS_REG_INIT: Failed loading the DPT
Nov 04 11:08:56 ERROR   ACCESS_REG: Failed to open the DPT shared memory
-E- mlxi2c: mi_opend Failed status(MLXI2C_CR_ERROR:9)
MLXI2C Help Message
Usage:
------
mlxi2c [switches...] <command> [parameters...]

Switch summary:
-----------------

-d <device> - MST i2c device name default: "/dev/mst/dev-i2c-1".
Commands affected: all.

-s <system> - System type default: Auto Detection.
Supported systems: MTS3600, FJ_SWITCH, BX4020,
BRIDGEX_EVB, BX4010, MTS3610,
MTPDK24, IS5025, IS5030, IS5035,
IS5600, IS5600_I2C0, BX1020,
BX5020, BX9020, IS5100, IS5200,
IS5024, IS5023, GEN_BOX, SX6036, SX6025,
SX90Y3245.
Commands affected: all.

-st <subsystem> - Detect separated module which is stand alone.
Supported modules: MTS3610_LEAF, MTS3610_SPINE, IS5001,
IS5002.
NOTE: You can not use -st and -s options at the same time.
Commands affected: all.

-m - Subsystem module name.
Command affected: show.

-h - Print this help information.

-v - Print version and exit.

-without_modules - Open only the mgmt module.

-ha_run - Run the mlxi2c as master/slave.

-no_fru_detect - In this mode the mlxi2c would not read the FRU EEPROM
to detect the modules type, it simply would use the base
topology of the given system (see -s option).

-ignore_modules <number of modules> [ignored modules list] -
Ignore the given modules, you need to specify the number of the modules.
NOTE: The name of the modules is without '/' such as: L01 S01 etc.

-use_int - Configure the GPIO to generate interrupt when needed.

-master_mode - Add the I2c buses to the virtual I2c.
If this mode is not specified, mlxi2c assumes that buses are already added

--dryrun - Prevents access to buses, run from database. System must be specified, f.e.:
mlxi2c --dryrun -no_fru_detect -s BARRACUDA_648 show devs -v

Command summary:
-----------------

q <i2c_component> - Query an i2c component.
Supported components: Adm1024, LM075, PCA9555, PCA9505,
ISMIC, PCF8591.

qv <i2c_component> - Query an i2c component for voltage.
Supported components: adm1024.

qt <i2c_component> - Query an i2c component for temperature.
Supported components: adm1024.

p <i2c_component> - Route the i2c path to the indicated i2c component.

init_gpio <gpio_name>
- Configure the GPIO pins.

set_gpio <gpio_name> <pin_name> <value>
- Set the output value of the given GPIO pin.

set_fan <fan_name> <Tach_num> <power_persent> [-set_max_power]
- Set the power percent of the given fan.
Override the max power register when -set_max_power is specified.

set_power <module_name> <off/on>
- Power on/off the specified module.
Supported modules: MTS3610_LEAF, MTS3610_SPINE.

set_led <led_name> <color>
- Change the color of the specified led to the given color.

set_ismic <ismic_name> <field_name> <value>
- Set the given ismic field.

get_ismic <ismic_name> <field_name>
- Set the given ismic field.

get_ismic_int <ismic_name>
- List the changed field's names by checking the interrupts.

set_cpld <cpld_name> <reg> <value>
- Set the cpld register.

get_cpld <cpld_name> <reg>
- Get the cpld register.

set_cpld_upgrade <cpld_number> <1/0>
- Enable/Disable cpld upgrade.

scan - Scan the i2c slave addresses

show <info_type> - Show information about the system or specific subsystem
module (related to -m flag).
The information types are:
devs [-v] : List the i2c components.
(-v) adds detailed information to the list.
modules : List the detachable subsystems modules.
temp : The temperatures of the components: ADM1024, LM075, PCF8591.
volt : The voltage values of all voltage monitor devices.
volt-sens : The voltage sensors name per sybsystem.
fans : The fans speed.
power : The power/voltage/current values of the power supplies.
battery : The batteries capacity.
leds [mod_name] :
The leds current colors on module or on main subsystem.
inventory : The inventory of the present modules.
fru <fru_name> :
The FRU info of the given FRU name.
NOTE: use "chassis" as the FRU name to get the system FRU info.
health <mod_name> :
Switch health of module.
cpld_ver [<subsystem_name> | <all>] :
Show cplds version. Optional: particular subsystem name or
all - show all system CPLDs.
battery_fw_ver :
Show battery FW version.

ps_fw_ver : Show battery FW version.

reset_i2c - Reset the i2c bus of the mgmt via the other i2c bus

parse_fru file <file_name>
- Parse the FRU info data that the given binary file contains.
parse_fru num_file <file_name>
- Parse the FRU info data that the given numeric file contains.
NOTE: This file should contain the data as it is displayed by the 'i2c' tool.
parse_fru dev <slave_addr> <addr_width>
- Parse the FRU info of the I2c device which has the given slave address.

hw_reset - Send HW reset to the system.

hw_test_func - Prepare functional hw test infrastructure.

is_bus_stuck - Check if main i2c bus is stuck.

bus_reset - Reset main i2c bus.

test_i2c_dev - Test if i2c device accessible.

qa - Query the given device for alarms.

qa_all - Query all the device for alarms.

mockup_gen - Generate mock-up data base.

all-battery-test - Run discgharge/charge test over all available batteries.

battery-test - Run discgharge/charge test.

get_reset_cause - Get reset cause.

assert_reset_signal <signal name> - Assert reset signal (CPLD based only)

cpld_update <cld_name> <cpld_img with full path> [<subsystem>]

update_bootstrap - Dangerous!!! System should be rebooted after update!!!

update_bootstrap200 - Dangerous!!! System should be rebooted after update!!!

update_bootstrap166 - Dangerous!!! System should be rebooted after update!!!

set_battery_charge - set batteries to given charge mode <charge|discharge|both>

set_battery_charge_mask - set batteries to given charge mode <charge|discharge|bothch|bothdis>

set_battery_charge_rate - set batteries to given charge rate <low|high>

set_battery - set batteries to given mode <charge|discharge|both|low|high>

get_battery_design - get battery design

ps_health - get indication whether all presented PSs are in a good health

burn_device - burn given device with given image

sys_pwr_cycle - make subsystem power cycle [<subsystem>]

chassis_fru - show chassis fru from file system (create file if not exist)
mellaggra _read [bus][addr][offset][width][len]
mellaggra _write [bus][addr][offset][width][len][data]
mellaggra _write_crc8 [bus][addr][offset][width][len][data]
mellaggra _read_num [bus][addr][offset][width][len][num]
mellaggra _write_num [bus][addr][offset][width][len][num][seq][delay][data]
mellaggra _write_read_num [bus][addr][offset][width][len][num][seq][delay][data]
mellaggra _read_write_num [bus][addr][offset][width][len][num][seq][delay][data]
mellaggra _read_attr [attr][bus][addr][offset][len]
mellaggra _read_attr_cached [attr][bus][addr][offset][len][in-len][optional in-data]
mellaggra _write_attr [attr][bus][addr][offset][len][data]
mellaggra _read_attr_num [attr][bus][addr][offset][len][num]
mellaggra _write_attr_num [attr][bus][addr][offset][len][num][data]
mellaggra _ioread [base][offset][len]
mellaggra _iowrite [base][offset][len][val]
mellaggra _add
mellaggra _remove_orca
mellaggra _add_orca
mellaggra _remove_orca_down
mellaggra _add_orca_down
mellaggra _add_orca_sf [parent bus][start bus][parent switch hex]
mellaggra _remove_orca_sf [parent bus][parent switch hex]
mellaggra _remove
mellaggra _remove_second
mellaggra _remove_prim
mellaggra _add_dev_prim
mellaggra _add_dev_second
mellaggra _remove_dev_prim
mellaggra _remove_dev_second
mellaggra _add_dev [name][bus][addr]
mellaggra _remove_dev [bus][addr]
mellaggra _scan_bus [bus]
mellaggra _add_gpio_bus
mellaggra _remove_gpio_bus
mellaggra _write_fru [bus][addr][fname][opt:width]
mellaggra _read_fru [bus][addr][fname][opt:width]
mellaggra _read_vpd [bus][addr][offset][width][len]
mellaggra _write_vpd [bus][addr][offset][width][len][data]
mellaggra _burn_bbu [bus][addr][fname]
mellaggra _burn_psu [bus][addr][fname]
mellaggra _read_crspace [bus][addr][offset][len]
mellaggra _dump_crspace [bus][addr][offset][len][file]
mellaggra _read_leg [bus][addr][offset][width][len]
mellaggra _write_leg [bus][addr][offset][width][len][data]
mellaggra _eeprom_test [bus][addr][offset][datalen][size]
mellaggra _emul4_read [dev name][offset][datalen]
mellaggra _emul4_write [dev name][offset][datalen]
mellaggra _emul_read [dev name][offset][addr][datalen]
mellaggra _emul_write [dev name][offset][addr][datalen]
mellaggra _read_vpd_lim [bus][addr][offset][width][bus_prot]
[addr_prot][reg_prot][get_prot][put_prot][limit][border]
[rchunk_del][wchunk_del][post_del][flags][len]
mellaggra _write_vpd_lim [bus][addr][offset][width][bus_prot]
[addr_prot][reg_prot][get_prot][put_prot][limit][border]
[rchunk_del][wchunk_del][post_del][flags][len][data]
mellaggra _config_led_1024x
mellaggra _config_fan_1024x
mellaggra _config_temp_sensor_1024x
mellaggra _add_cpld_mux
mellaggra _remove_cpld_mux
mellaggra _add_barracuda 648|324|216|108
mellaggra _remove_barracuda 648|324|216|108
Mellanox Configuration Registers Access tool
Usage: mcra [-s <i2c-slave>] [-a <adb dump>] [-v] [-h] <device>
<addr[.<bit offset>:<bit size>]|[,<bytes number>]> [data]
If data is given, operation is write. Otherwise it is read.
If a bit range is given in the address (E.G.: 0xf0014.16:8):
For read - Only the requested bits are printed.
For write - Read-Modify-Write. Only the requested bits are changed.
If 'bytes number' is given in the address (E.G.: 0xf0014,16):
For read - Will read a block (its size is the given bytes number).
For write - User need to give list of dwrods to write,
number of dwords should be (bytes number/4).

-s <i2c-slave> : I2C slave address.
-a <dump file> : adb dump file, used for access by path.
-h : Print this help message.
-v : Display version info

Environment Variables:
ADB_DUMP : Holds the path to adb dump, used for access by path (can be overriden by "-a").

For recent MLNX-OS (3.6.6003 for example, 3.6.4006 will not work) it's even easier:

Code:
enable
configure terminal
boot bootmgr password 7 ""
write memory
show bootvar
There should be no passwords in boot manager, IMO.
Even Huawei allows bootmgr access:
[All About Switches] 07 User Login Password-Switch-Huawei Enterprise Support Community

Code:
/opt/tms/bin/mddbreq /config/db/initial set modify - /system/bootmgr/password string ''
eetool -a bf -s UBPASSWD=""
That makes settings persistent and on the next boot the password is gone.
If that helped, please endorse: https://goo.gl/RfjbnG