Intel(r) switches backdoor
I recently got an Intel(r) Express 530T switch from eBay. It’s a “Manageable” switch, this means that you can connect to the switch through a null modem cable, telnet or a web interface to modify the switch configuration (Change MAC address filtering, create/delete VLANs, change ports speeds an priority, …).
But when I tried to connect to the switch, I discovered that the switch hadn’t been reseted, and that the seller didn’t gave me the username and password needed to manage the switch.
After trying to find any reset button around, under, and even inside the switch, I sent a mail to the seller and contacted the Intel support.
As the seller wasn’t responding and the Intel support wasn’t able to give me a reset procedure, I crawled the web, and managed to find a little Intel(r) utility “that does not exists”, according to the russian website that was distributing it (sorry, I can’t remember the address).
This utility compute a backdoor password depending of your switch’s MAC address.
The documentation that can be found with this Intel(r) utility, says that it works with :
* Intel(R) Express 330T Hub with Management Module
* Intel(R) NetStructure(TM) 470T/470F Switches
* Intel(R) Express 460T Standalone Switch
* Intel(R) Express 530T/535T Stackable Switches
It also says that you must let the usename blank, and just enter the password and that the backdoor password only works from the management port on the switch (It will not work through telnet nor the web interface).
So, after getting a password for my switch, I started to look at the password generation algorithm.
Here is the code of the password generation function :
After reading this code, I managed to draw this little diagram of the generation algorithm:
(Saying M1 to M6 are the 6 MAC address bytes; xor is an exclusive or between two bytes; ! is a bit swapping of all bits eg: all 0s become 1s and all 1s become 0s; shl1 is a left shift of 1 bit; shr7 is a right shift of 7 bits)
After running this transformations two times on the buffer originally containing the switch MAC address, the password is the hexadecimal representation of M4,M5,M6.
Thus, for example, if M4=0xA0, M5=0×55 and M6= 0xEF, the password will be : A055EF.
Note: letters are always in uppercase.
Here you can find an implementation of this algorithm :
intel_backdoor.c (C source code)
intel_backdoor.gz (Linux x86 binary)
intel_backdoor.exe(Windows binary)
Just for fun : a demo 
I hope you enjoyed this post as much as I enjoyed writing it 
May 20th, 2008 at 12:04
Nice illustration. You did it with latex or what ?
May 20th, 2008 at 18:39
Ahah so funny Thomas
But yes done with Latex.
June 2nd, 2008 at 01:13
Simply wonderful.
June 11th, 2008 at 21:27
Hey, cool.
thanks
hopefully see another great posts like this laters …
- MalC0de
July 9th, 2008 at 19:37
tankssssssssssssssssssss
August 26th, 2008 at 17:58
Great work!
Just a tiny patch to avoid memory corruption: buffer should be 13 bytes long (don\’t forget the terminating \’\\’
).
September 6th, 2008 at 13:53
Oh yeah, that’s true
done.
October 14th, 2008 at 19:57
hi:)
my switch which is:
Intel Express ES101TX 8-Port Modular Network Switch/Hub
is not in yur listing which said can be open by yur script.
how can i apply those script that u gave if ever i\’m using a HyperTerminal using its console port in accessing the said switch?
and by the way, the OS in my PC is WIn XP.
thanks ;->
p.s. hope u can really assist me, i put here the link of my inquiries posted in intel site.
November 26th, 2008 at 14:00
i’m french
the backdord not run for me my mac address is 00 03 47 5F 50 5C it’s a intel express 530t
i’m required help
you have a solution??
November 27th, 2008 at 15:35
Hi dcybel,
I am french too
Are you sure you are connecting from the serial (a.k.a management) port ?
Here is what I get when run intel_backdoor with your MAC address:
xipe@papamobil /tmp % ./intel_backdoor 0003475F505C
Backdoor password generator for INTEL(R) Switches
—————http://redstack.net—————
More informations in the source code
Your MAC : 0003475F505C
Your Password : 7E48E3
Enjoy !;)
xipe@papamobil /tmp %
If it still doesn’t work, just drop me a line by mail (my mail address is available on the blog main page, under the menu)
December 19th, 2008 at 03:53
Hi, I got the original program from Intel from this website. http://makkintosshu.dyndns.org/
I can send you the file if you want.
Thanks.
Tonij
December 19th, 2008 at 12:01
Great, the exact link is http://makkintosshu.dyndns.org/journal/intel-express-530t-switch-documentation-firmware-and-utilities. There is also firmwares.
Anyway, the one here is open source and can run under linux/bsd/*
January 12th, 2009 at 12:05
Thx a lot for this soft!
I can access to my old intel 460T !!
January 23rd, 2009 at 07:33
Excelllent, just reset 5 of our 530T
March 20th, 2009 at 00:48
Hi,
On WinXP the utility runs fine, and I get a password. My problem is connecting to the 530T… No matter what I do, my keyboard does not seem to register any keystrokes on the switch’ login screen (using HyperTerminal).
I have a cursor flashing in “username” but I can’t go any further. I’ve tried different types of emulation – no luck so far.
Any suggestions?
March 20th, 2009 at 10:07
Your terminal should be configured as follow:
Speed: 9600
Bits: 8
Parity: N
Stop Bits: 1
Flow control : No
With this configuration it should work.
March 23rd, 2009 at 23:48
Many thanks from me too!
March 26th, 2009 at 18:20
Hi,
I have excactly the same problem as Adrian. I can get to the password screen through the serial interface, but it won’t let me type anything. I have tried both HyperTerminal under Windows and minicom under Linux, and I’m definitely using all the right settings. I can connect to the switch via telnet and this lets me type, but obviously the backdoor password doesn’t work. I’ve searched all over for a solution, and this is beginning to drive me crazy! Does anyone here have any ideas?
March 26th, 2009 at 22:02
Hi Mark,
The backdoor password will only work using the serial port.
Have you tried with another cable ?
April 4th, 2009 at 16:13
Hi, can anybody send me a last firmware for intel express 460t, Thanks.
April 4th, 2009 at 16:15
kgharibyan@gmail.com
April 20th, 2009 at 21:35
I as well am in search of updated firmware for both my 16 and 24 port Intel 460T’s
July 30th, 2009 at 11:13
so, you blog is dead?
July 30th, 2009 at 16:01
Hi asf
no my blog is not dead, I only lacked of time during the last months, but I should have more free time starting on mid-august after moving to Denmark … btw I still need to find an interesting job in the IT security industry in DK … 
August 7th, 2009 at 06:45
i was wondering the same, xipe! it has been added to my favorites ;D
August 17th, 2009 at 14:04
I need the firmware from intel 460t.
if someone send me marcos.molina90@gmail.com
December 21st, 2009 at 05:36
Hi, can anybody send me a last firmware for intel express 460t, Thanks.
lampsonlam@hotmail.com