From December 19 to December 28 zarb.org main server was down. This server host(s|ed) many things including this blog, Mageia website, PLF, ... The reason why it took so long is that the server is in the south of France, kindly hosted by Lost Oasis and we have no one nearby to physically access it, and in this case we had lost our main raid array.
This server (kindly donated by HP almost 10 years ago) has a remote administration card (P1218A) but it is not really usable for anything except rebooting the machine. The remote console more or less works with some of the java versions from sun, but most of the time it only displays the top third of the screen, until next refresh when it goes black, and misses many keystrokes. This made it unsuitable for accessing the RAID BIOS and finding the problem.
After about a week, for some unknown reason (I could have done it many times over the last 10 years), I thought of looking at the communications between the applet and the management card. Everything was clear text and very simple. The next days I wrote a ruby-gtk client for the card, accessed the BIOS, found that the 4 disks had been marked has failed without errors and were correctly syncronized, and put them back online.
The first (and longest) part was to find how to login and get the session cookie. The exchange looks like:
GET /cgi/challenge HTTP/1.1
<?xml version='1.0'?><?RMCXML version='1.0'?><RMCLOGIN><CHALLENGE>DJRhNVfOWfuB8fS/6PFazg==</CHALLENGE><RC>0x0</RC></RMCLOGIN>
GET /cgi/login?user=FOO&hash=UtPRDzFS36s0jJBgTmtS4JDR HTTP/1.1
Challenge was obviously 16 bytes of data base64 encoded. Response was called hash and was 18 bytes whatever the password is. Given that it was written more than 10 years ago, I supposed it would be md5, even if it only gives 16 bytes.
I then wrote a small ruby application trying various combinations (md5(challenge + password), md5(xor(callenge,password)), xor(challenge,md5(password)), ...) and found that md5(xor(challenge,md5(password))) was giving me the correct first 16 bytes.
I then used an online CRC calculator to find that the remaining 2 bytes are "CRC-CCITT (XModem)".
The other big part was the remote console.
Getting the current screen content is quite easy, it's a GET on /cgi/scrtxtdump (with an optional force=1 parameter).
In my initial tests there was 0x10 between each character so I just filtered them out. I found later that it actually gives attributes for the character (bold, color, ...) and now support the ones I have seen so far.
Sending a keypress is quite easy too, it's a POST to /cgi/bin with data being <RMCSEQ><REQ CMD="keybsend"><KEYS>space separated scancodes</KEYS></REQ></RMCSEQ>.
The code is now online, still very ugly, but hopefuly helpful :)