I'm refraining from vendor-specific items unless they're of particular note; I've put a few at the section at the end.
There's a detailed (but not complete) fairly technical writeup on IPMI basics
by Corey Minyard
It's hard to understand IPMI/BMC land without some knowledge of
flash - NOR is a "random access device appropriate for
code storage application", while NAND is better for storage (you
can't directly execute code from NAND disk -it "must be loaded
into RAM memory and executed from there."
MTD - memory technology device; an abstraction layer for raw flash devices
(NAND, NOR, etc.) Some very useful background information on MTD:
Jarrod B Johnson, Raleigh/IBM@IBMUS. Private communications. Especially
invaluable for telling me about the dangers of Cipher Zero as well
as passwords being stored as plaintext on the BMC.
FreeIPMI in particular has amazing documentation and is used in many
vendor offerings. Finally, there's a
really nice (and fair) comparison
of them on sourceforge written by one of the authors.
I used a ton of tools, way too many to mention more than a few. On any
sort of unix/linux variant strings is just such a frickin' great tool...
use that on any binaries along with "hexdump -C"; strace is also godly.
Binwalk
and the
firmware-mod-kit
were also useful in unraveling some details. Luigi's
signsrch provided
some color commentary (windows only, but could run via wine; e.g. - i
"wine ~/signsrch.exe binary.file".)
Qemu was invaluable for
emulating some Arm processor things and
DosBox
saved me from having to dig out the ol' DOS floppies (DOS may never die;
assorted low-level system vendor programs still run via DOS.) With the
exception of DosBox and the 4 IPMI utilities up there just about every
tool had terrible documentation or was difficult to get working on most
of the systems I had (Qemu in particular would be even more astonishing
it would only run correctly.)
Details on SMI/SMM:
A paper that discusses using IPMI to generate SMIs to enter into SMM mode:
CERN used a set of programs to generate daily random IPMI passwords to
manage just under 2,000 servers - a nice writeup here:
A nice overview of AMT security (the IPMI-like thing in PCs and such is in
Vassilios Ververis'
Joanna Rutkowska on using a USB stick to compromise encryption keys in general is worth
reading; she dubbed it:
There are many references and tools to aide in USB sniffing; here are
some Linux references, but typing "USB sniffing" in any search
engine will get lots of others.
Forensics and flash, a match made in heaven; from SMALL SCALE DIGITAL
DEVICE FORENSICS JOURNAL, VOL. 1, NO. 1, JUNE 2007; Marcel Breeuwsma,
Martien de Jongh, Coert Klaver, Ronald van der Knijff and Mark
Roeloffs:
Dell's security overview for iDRAC 6:
HP's security overview for iLO 3:
Darren Cepulis/HP's patent application has some interesting details on
using SMIs with virtual disks (and quite possibly sheds some light on
how HP implements such things in iLO.)
Supermicro got into the game with a one-page Best Practices guide -
Security
HD Moore put together
a really fine set
of methods to exploit various issues with IPMI. Required reading for some of the dangers.
Software
Four very high quality IPMI software packages: freeipmi, ipmitools,
ipmiutils, and openipmi; in addition to the software they have some
excellent documentation, write-ups and details about the world of IPMI.
While perhaps not possessing the most imaginative of names They're all
worth checking out:
Mac Tools
(mostly) Linux Tools
Mucking with firmware, assorted links, papers, etc.
IPMI stuff is all about embedded systems; a really nice intro to such things
is Christopher Hallinan's book, which is simply an excellent book, especially
for modestly technical beginner's such as myself:Additional reading
Vendor stuff
I've downloaded many BMC ROMs and have read through more vendor manuals and than I can count. Here are a few highlights.