IPMI & related resources

(last update 1/6/13)

I'm refraining from vendor-specific items unless they're of particular note; I've put a few at the section at the end.

General IPMI

Start with the source; Intel has put out a variety of documents; in particular the IPMI specifications, for 1.5 and 2.0 (484 and 644 pages of deathless prose, respectively) and the IPMI CIM Mapping Guideline were invaluable:

  • IPMI spex - all versions

  • IPMI/CIM Mapping guide

    There's a detailed (but not complete) fairly technical writeup on IPMI basics by Corey Minyard in 2006

  • IPMI - A Gentle Introduction with OpenIPMI.

    It's hard to understand IPMI/BMC land without some knowledge of flash - NOR is a "random access device appropriate for code storage application", while NAND is better for storage (you can't directly execute code from NAND disk -it "must be loaded into RAM memory and executed from there."

  • NAND vs. NOR flash - a Flashy writeup

    MTD - memory technology device; an abstraction layer for raw flash devices (NAND, NOR, etc.) Some very useful background information on MTD:

  • http://www.linux-mtd.infradead.org/

    Jarrod B Johnson, Raleigh/IBM@IBMUS. Private communications. Especially invaluable for telling me about the dangers of Cipher Zero as well as passwords being stored as plaintext on the BMC.


    HD Moore put together a really fine set of methods to exploit various issues with IPMI. Required reading for some of the dangers.


    Four very high quality IPMI software packages: freeipmi, ipmitools, ipmiutils, and openipmi; in addition to the software they have some excellent documentation, write-ups and details about the world of IPMI. While perhaps not possessing the most imaginative of names They're all worth checking out:

    FreeIPMI in particular has amazing documentation and is used in many vendor offerings. Finally, there's a really nice (and fair) comparison of them on sourceforge written by one of the authors.

    I used a ton of tools, way too many to mention more than a few. On any sort of unix/linux variant strings is just such a frickin' great tool... use that on any binaries along with "hexdump -C"; strace is also godly.

    Binwalk and the firmware-mod-kit were also useful in unraveling some details. Luigi's signsrch provided some color commentary (windows only, but could run via wine; e.g. - i "wine ~/signsrch.exe binary.file".) Qemu was invaluable for emulating some Arm processor things and DosBox saved me from having to dig out the ol' DOS floppies (DOS may never die; assorted low-level system vendor programs still run via DOS.) With the exception of DosBox and the 4 IPMI utilities up there just about every tool had terrible documentation or was difficult to get working on most of the systems I had (Qemu in particular would be even more astonishing it would only run correctly.)

    Mac Tools

    (mostly) Linux Tools

    Mucking with firmware, assorted links, papers, etc.

    IPMI stuff is all about embedded systems; a really nice intro to such things is Christopher Hallinan's book, which is simply an excellent book, especially for modestly technical beginner's such as myself:

  • Embedded Linux Primer: A Practical Real-World Approach

  • Project Maux Mk.II (And Mk III as well.) A talk on to install SSH on a NIC card. Arrigo Triulzi arrigo@sevenseas.org (Arrigo's homepage: http://www.alchemistowl.org/arrigo/)

    Additional reading

  • Interview with Bill Johnson, who talked about IPMI back in '08:

    Details on SMI/SMM:

  • Wiki page on SMM/SMI

  • An Analysis of System Management Mode (SMM)-based Integrity Checking Systems and Evasion Attacks, J. Wang, K. Sun, and A. Stavrou, a GMU technical report.

    A paper that discusses using IPMI to generate SMIs to enter into SMM mode:

  • HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity, by A.M. Azab et al. Unfortunately the exact method used to generate SMIs from the BMC was received under an NDA from IBM (private communication with A.M. Azab.)

    CERN used a set of programs to generate daily random IPMI passwords to manage just under 2,000 servers - a nice writeup here:

  • Using the Intelligent Platform Management Interface (IPMI) at the LHC GRID, by Hugo J. M. Cacote & M. Masi, 2007.

    A nice overview of AMT security (the IPMI-like thing in PCs and such is in Vassilios Ververis'

  • "Security Evaluation of Intel's Active Management Technology".

    Joanna Rutkowska on using a USB stick to compromise encryption keys in general is worth reading; she dubbed it:

  • the Evil Maid Attack,

    There are many references and tools to aide in USB sniffing; here are some Linux references, but typing "USB sniffing" in any search engine will get lots of others.

  • Linux USB tools

    Forensics and flash, a match made in heaven; from SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL, VOL. 1, NO. 1, JUNE 2007; Marcel Breeuwsma, Martien de Jongh, Coert Klaver, Ronald van der Knijff and Mark Roeloffs:

  • Forensic Data Recovery from Flash Memory

  • Lessons Learned from Five Years of Building More Secure Software, M. Howard, 11/2007 MSDN Magazine.

  • Milk or Wine: Does Software Security Improve with Age A. Ozment and S. Schecter, 2007 USENIX Security

    Vendor stuff

    I've downloaded many BMC ROMs and have read through more vendor manuals and than I can count. Here are a few highlights.

    Dell's security overview for iDRAC 6:

  • Integrated DellTM Remote Access Controller 6 Security

    HP's security overview for iLO 3:

  • The HP Integrated Lights-Out Security, 7th edition,

    Darren Cepulis/HP's patent application has some interesting details on using SMIs with virtual disks (and quite possibly sheds some light on how HP implements such things in iLO.)

  • "System ROM with an embedded disk image"

    Supermicro got into the game with a one-page Best Practices guide -

  • Best Practices for managing servers with IPMI features enabled in Datacenters